Saturday, September 21, 2013

Red Sky Weekly: Bruce Willis and Harrison Ford don't lie!

When is fiction based on truth? Would you believe it if you saw it?

Blowing up buildings, killing off the entire air traffic control grid, and stealing gobs and gobs of money. Live Free or Die Hard is the story of a guy (Bruce Willis) who does it all. Harrison Ford uses the database built into his daughters iPod to move 10 million accounts from the bank where he's the CISO to an offshore account, while his family lived (unknowingly at first) under the threat being killed in Firewall,

To far fetched for your liking?  Alarmist or realist?... you decide...

  • I published the (very true) story of  “woshihaoren” (我是好人) Red Sky Weekly: “woshihaoren” (我是好人 in April. It told the story of a cat and mouse game between a real CISO (I called him Jack) and a group of folks somewhere on the other side of the world. Jack's outgunned and probably will never get these guys out of his networks, but he shuts them down quickly. Heck, he's probably their training ground... (maybe we'll see a new movie? -Training Day III?)
  • I delivered the news to another CISO that an application that his company purchased (for a BOAT LOAD of money) was bought from another company who'd been completely p0wned. The result? The application he purchased was likely owned too... and probably leaking data.
  • In yet another, I informed a CISO last week that he'd had several emails heading for his company, all with malware attached. How would I know? Let's just say I do ok? We received a copy of the malware, and sure enough... it wasn't a birthday card from gramma! The information we gave him was less than 30 minutes old and the malware was undetected in the major virus engines.

When I talk with real life CISOs who've been through the 'oh sh*t' moment, every one says of those who don't know enough to share information that "they've never been through the giant sucking sound" (one CISO's quote.. not mine), or the idea that a virus might not be just a virus.. or the idea that we look at seven different areas connected by time to figure out how a chain of events occurred.

And if you think for one second that these movies aren't based on seeds of truth, I'd tell you this... the cat and mouse game is very real.  We've been doing this for two years as Red Sky Alliance and for several more before that... probably back to the roots -- the early days, old school, Solar Sunrise, Moonlight Maze, Titan Rain, APT, and now. As these things move into more mainstream, well... names stop when the new threats become the new normal... welcome to the new normal. 

Here's the bottom line... over the last few months we've compiled a list of companies who we believe are being actively targeted. We're not chasing ambulances and we're not the old glass repair guy running around in the parking lot with a hammer. We're a group looking out for each other. The community watch. The 'hoot 'n hollar' network. We want to know when one of our own will be hit. Heck, we told one of our members that they were being targeted. We gave them a dozen domains and IP addresses that were going to be used, and we grabbed the malware, analyzed it, and published the defensive findings before the attacks occurred. We named (by company name) six companies that we thought might be targeted. We published our findings to the membership, but warned the specific member (who handles security for the other six) privately. This stuff works. 

BT BT
  • This weeks fusion report detailed a shift in tactics by one group, moving to a new downloader process for a specific remote access trojan. A remote access trojan, RAT, allows hackers to have full control and interactivity with the machine or machines where they have it installed. We've been seeing this in some of the discussion boards outside of Red Sky and took some time this week to send out some good analysis (and mitigations or courses) to our members.
  • We published a report on a bad guy that we've been tracking for several months now. The guy is active but practices really good tradecraft --no social media, not much open source communications --and seemingly never has, yet he's either an urban legend or he's just really careful.. not sure yet, but we know he writes some hellish malware.
  • We took on a bit of a GEOPOL project this week. More to follow as that unfolds, but this is reminiscent of my first project as an Intelligence Officer.. basics count and they need to be taught; so we're teaching a junior analyst. 

We're in our year-end membership push. We had 22 meetings in the last two weeks, putting four new members in front of the Advisory Board. We've also been asked (and have agreed to a test) to write targeted threat intelligence reporting for a couple of members. We'd been doing it for the last six months for one, and thought it might be a good second offering instead of some of the other more piecemeal work we've been doing in the lab. We like threat intelligence and we're really good at it. In fact, we've published over 100 analytic works in the last 18 months, and thought we might explore growth in the area of taking on a few clients to keep our minds nimble. So far, the reception has been terrific. 

I'll be at the Cyber Security Summit with Rick and Chris on Wednesday. Stop by and say hello. The booth with be sparse, but I'll have that target list in my pocket. You should ask me if you're on it! I've got an invitation for you if needed. It'll get you a discount on admission. I've placed it below the blog if you'd like to use it. We'll be in booth 211, and I'm sitting a panel in the early afternoon. The early attendee list looks good, so I'm looking forward to meeting some new people!

See you there!
Jeff

Read more »
Posted by at 2 comments:

Saturday, September 14, 2013

“How do all the others stand a chance?”

  • “Sharing intelligence in a forum like Red Sky is a force multiplier!”
  • “How do all the others (who don’t participate) stand a chance?”
  • “What do companies do when they can’t (or don’t want to) go to the government for help?”
        • (Quoted from a former member of the Defense Industrial Base who recently made an inquiry about Red Sky Alliance membership --and is joining us now!)
We’ve been putting on the end of year membership drive for the last week. I had 16 appointments scheduled between last week and next --dinners, reconnections, lunches, and visits with potential new members. Three new membership packages have been issued this week. They’ll all be going through legal review on the company side, and likely entering the portal in the next couple of weeks. Next week? I have three every day. I went WAY over my goal of 20 for the two weeks. I work with overachievers who like to please.. and they do it well.. for the Red Sky team, and our members!


On that, I wanted to share with you a bit about happenings this week.


  • We held threat day in the global NOC of one of the telecoms. What a great day! Thank you again to our hosts!
  • We issued a couple of new reports --both pretty cool actually. One detailed new activities associated with one of the groups that’s pretty prolific against just about every industry right now. The other, one of our newer priority intelligence reports is based on a set of priority and standing questions that we ask, and when we find a piece of the puzzle(s), we write them up in a short format product.


We received another query for tailored reporting. We’ve been getting a few of these lately. Apparently there’s a real need for unclassified Threat Intelligence and the word is spreading that Red Sky has good gouge. So over the course of the year we’ve done some work for a couple of organizations where we take an analyst or two (who work remotely) and become the virtual extension of the company’s Threat Intelligence shop. We’ve got over a hundred technical and intelligence reports in internal publication, and believe we’ve got a pretty good process, and the knowhow that goes with it!. We like this model --not consulting per se, but we actively hunt for information that might help our reader. They don’t get Red Sky data unless they’re a member, but they still like the work. We do the work under Wapack Labs, and have taken a number of these ‘moped’ work requests.. why moped? One of my guys likes to say that everyone likes to ride them, but nobody wants to be seen with one! We’re kinda the same way… everyone likes the work, but nobody wants to be seen with us (and we like it quiet too!).

 Before I forget, I'm looking forward to seeing many of you at the Cyber Security Summit 2013 in NY on the 25th. We've never done a booth before (we're in 211). Getting it done is interesting. I'll be sitting a panel in the afternoon. Stop by and say hello.
OK, this is a short blog (say thank you!). I’m going fly fishing in the western part of the state with an old friend VERY early tomorrow. He’s a CTO with one of my former employers (you won’t guess, there’ve been just toooo many!), but it’s going to be a great day. I’ve got my 9 weight rigged, my PFD check checked out, and fresh chemlights in the pocket. So...
Until next time,
Have a great week!
Jeff
Posted by at No comments:

Saturday, September 07, 2013

Red Sky Weekly: This is big!

This is the first blog after our two year anniversary of incorporating Red Sky Alliance, and I can’t even believe how far we’ve come! In two years… and at the same time, we’re putting on the “heading into the end of the year membership push”. So sorry, this isn’t a rough cut blog, nor a controversial issue. It’s very simply, this is what we’ve done in the last two year. I’d offer this too. We started from nothing… an empty portal So, here’s where we’re at:
Intelligence and Analysis:
  • We’ve published roughly 100 pieces of detailed, sourced, finished technical analytics (we call them fusion reports --roughly 20 pages of analyst porn and usually a couple of hundred technical indicators presented in Lockheed’s original kill chain format).
  • We’ve published dozens of non-technical intelligence reports showing targeting, intent, and yes, attribution in many cases!
Our membership is active!


  • We’ve got roughly 45 active organizations represented in the two portals, ranging from state/local/federal IT and Information security personnel in our Beadwindow Private | Public portal to 30 or so global enterprise companies in our private Red Sky portal with hundreds of thousands of employees all over the world. In fact, rough estimates suggest this small number of members own, manage, control, or secure over 20 million computers in approximately 140 countries around the world!
  • The portal has grown both in numbers, and in quality of information and activity. Our members contribute on a daily basis more than any other group I’ve been involved with! Checking a moment ago, as of today we have 182 users in our private portal, (including several dev, test and administrative). Of those 182:
    • 81 (slightly less than half) are active participants (we monitor for lurking, but also have many CISOs who just want to read to know what their teams are seeing and doing!)
    • 48 threat analysts or incident responders from these great companies contribute regularly
    • and 23 are regular users who are on here all the time --meaning they log in first thing in the morning and stay on all day (it can be addicting!)
We’ve expanded our services!
  • In April we opened Wapack Labs in Manchester, NH. One might call this our ‘collaboratory’ because of the many great skunkwork ideas that flow in and out of it on a daily basis. Others might call it our ‘wholesale analytic shop’ because we’ve been funded to do analysis on the backend of one of the larger national Computer Emergency Response Teams and a couple of smaller projects for both members and non-members. Others might call it a simple incident response and forensic shop, but that’s a pretty mundane way to describe it given some successes.  Here including two of my favs:
    • WhoisRecon: One of our guys, in his quest for additional data to analyze created a system designed to link and graphically analyze the meta-data associated with bad guys we see registering domains (we call this WhoisRecon and it’s cool as hell!)
    • TIAD: Development of an automated threat intelligence system that links our analytics in the portal to real world data. Today, we have the ability to run nearly 300,000 externally captured pieces of information against all of the data from the two alliance portals and quickly diagnose and qualify them as to what we believe the level of badness is in the intent of the attacker. How cool is that?! In the government we built one of these bad boys and called it GoldRush. Except in the government, the same system cost roughly $10 mil to build. In our collaboratory that is Wapack.. under $200K!
    • R&D: Besides the finished works, we’ve done a bunch of work with Watchguard boxes to see if we can make them do fun things. We’ve had some fun with Splunk and TIAD and a product called Veera. (You’ll be hearing more about this at the Threat Day on Monday.. Oh, wait. I didn’t mention that? We’re having our next Threat Day on Monday at one of the major telecoms, with a tour of the Global NOC. I’m really looking forward to this!)
Last, but certainly not least.. our intern program!
Last year we offered two internship programs. One intern made it through the program. When he graduated, we pushed him into the membership for his first job. Why not? They’ve been seeing his work all year. They peer reviewed him in the top 10%. Why wouldn’t one of our members hire him. And you know what? He’s in a great job working as an intel analyst at one of the biggest credit card processors in the world! He’d been offered three jobs from members, and we’ve been told (by the members) that they’ll take as many as we can push out. So this year we have four of them in the pipeline. One just accepted a (paid) position in a local university. One has another year of school, but she’s bilingual (Japanese and English) and a dual major (CS and Journalism --what a great combination! Man, can she write!). Another is a statistician, and the last is just wrapped his program in homeland security.


“Heading for the end of the year membership push”
So here it is.. it takes months to get membership checks from big companies… even when you offer good terms. I’ve got 14 appointments in the next two weeks to talk about potential memberships. It’s getting busy. Send me a note and schedule your demo today before the end of the year rolls around!


Until next time,

Have a great week!
Jeff

Posted by at 1 comment:

Saturday, August 31, 2013

Red Sky Weekly - 0-day and intel

Red Sky Alliance turns two!

 Yesterday marked the second anniversary of our incorporation! We're two! We've come a long way. They say the test of a startup comes in making it through the first year, but I'll tell you, even the second is terrifying! That said, it's been a GREAT two years!

 I've just returned from Iceland, where I had the opportunity to participate and speak at the Nordic Security Conference. What a blast! The weather was cool and wet most days, but nonetheless, I was able to get a run in along the beach (Did you know they have a heated beach?? They pump geothermal heat into the beach!) and experience a bit of the local flair. Thank you to our Icelandic hosts! I'm looking forward to seeing some of you come into Red Sky!

 BT BT (break break)

 I'm starting this week's blog with some good intel. We're heading into post-summer, and as with every year, it seems September brings folks back to life from summer vacations. This year is now different...

  • Fusion Report 20: In late July, Red Sky received information regarding Microsoft 0 day, being exploited in the wild. This Fusion Report provided detailed the delivery and C2 infrastructure as well as the observed payloads and protection against it. Red Sky classified this activity as UPS for future tracking and correlation. 
  • Intelligence Report: Red Sky received information regarding a piece of malware used in targeting (as currently known) only one member of the Red Sky Alliance membership. This appeared to be a highly targeted set of attacks (yes, a set.. more than one) against one company with very specific intent. Our internal analysis team was able to locate who we believe authored the malware used. Our report is going out this weekend after some final edits.
BT BT

 Preparing for our next threat day: September 9th will bring our next threat day. This one will be held in one of the big telecoms. We'll be demonstrating new tech to be added to the Red Sky portal, we've got four great presenters and we'll be wrapping the day with a tour of this telecom's global NOC. I'm very much looking forward to it!
The next few weeks are big for Red Sky Alliance. As we head into the post-summer months, it seems like we get really busy on both the analytic fronts and new membership requests. I'll be in the lab in Manchester all of this week, but heading to the DC area next week, taking appointments for Red Sky introductions. I've got several booked up, so if you've been considering talking with us about membership in any of the portals, or a need for services from the lab, Please contact us earlier rather than later. 

  • Red Sky Alliance's private portal - Business to business only. No government participation. Companies share information about current activities and futures. Our backend analysis team boils down those conversations and feeds them back in Fusion reports --20 pages of solid analyst porn and usually several pages of easy to use kill chain formatted indicators.
  • Red Sky Alliance's Beadwindow portal: Beadwindow is a Private | Public environment. We have smaller companies, and state/local/federal IT workers in Beadwindow. Beadwindow members do not get access to the private portal, but do have access to Red Sky's expert analytic team.
  • Wapack Labs: Wapack is the hands-on end of the business. If you need forensic support, malware work, or development work, consider Wapack. In addition, we've been talking (and working) in healthcare companies offering HIPAA gap analysis and assessments (we have fully qualified auditors on staff), following up with placement of sensors for protection. We bring data back to the lab (over the wire) where we check sensor findings against current Red Sky indicator data. This does a couple of things --companies who may not otherwise participate in Red Sky get the benefit, and Red Sky members get the benefit of any new TTP's or indicators identified!

I'm keeping this one short, but please, if you're considering scheduling a demo, contact us today. We'd be happy to set it up.

Until next time,
Have a great week!
Jeff




Posted by at No comments:

Saturday, August 24, 2013

Are We Ready for Systemic Infections?

I'm NSA'd out. My daily morning reads includes RSS feeds from TechDirt, Foreign Policy, SlashDot, ARS Technica, and a couple of others, who have all been covering NSA all day every day. Bottom line is this.. right or wrong, whatever your opinion, cyber infections are systemic --at every level of computing. I've been asked a few times what I think about the NSA issues, but I have only two thoughts.. first, I worked for this smart guy that used to say "assume noble intent"... and I do. Noble intent.. good idea, bad execution? Perhaps. That's yet to be sorted out by others. The second thing I'll say is that cyber exploitation is completely and totally systemic... we've lost our lost privacy in cyberspace... the bell's been run and can't be un-rung. We live now in an untrusted environment that includes cyberspace. Better get used to it. It isn't going to get any better...  

BT BT

When I go through TSA, I almost always ask them (as they are returning my ID and boarding pass) "What's my name? Where do I live" (it's WAY fun to see the expressions of pure horror on their faces when they have no idea who's ID they just checked!)... I was reminded of this when one of our guys posted a blog on our Wapack Labs site that he authored while sitting in Logan waiting for his flight to some remote location where he'll be spending the weekend shooting a LOT of guns. Matt is a personal safety guy and a gun enthusiast; a far cry from when I met him years ago when we worked together at Cisco. Matt talks a lot about personal safety, giving out information, and the idea that we are giving our personal information to perfect strangers in an airport, losing your identity online, and simply doing business on wireless networks that nobody knows are safe to actually do business on. He also talks about the fact that TSA doesn't bat an eye when you carry two Level III+ body armor plates through the checkpoint. In reading his blog, of course my mind was racing.. it always does, but think about this…


We spend a TON of money on physical security at the airport to protect from physical threats to airplanes resulting from humans carrying nail clippers onboard. We're forced to give our personal information to perfect strangers. Our bags get inspected and x-rayed, we walk through metal detectors (and worse) to ensure we have no metal objects or bombs in or on our body. When we get through security, guys with dogs are often times walking around... plenty of guns (except mine!) are holstered hot, and once we do get on the airplane, there's probably an air marshall onboard.
But with all of this physical security in place, are we really more protected?
We spend a ton of money on physical threats that might occur that day, but only a fraction of that money on cyber events that will occur that day.


With all the money spent on physical security, how well do we protect those very same planes from attacks --from inception of the idea through final delivery and flight?


Are we thinking about the systemic risk thats we face as security professionals? Are we ready if (when) it happens?


So I wanted to run a test. I ran a simple Google query for "Aviation Supply Chain". Google yields (as you might expect) quite the haul, but one company in particular stood out... a supply chain company who (according to their website) was founded in 2000, is owned by a consortium of the large airlines in the world, and sells through EDI and online. The site talks about its ability to do EDI with the companies, and apparently is an exchange of parts, services, and supplies for an enormous number of suppliers and most of the OEMs.
Here's what surprises me (it probably shouldn't come as a surprise), but the CEO is an MIT grad, the CIO is a PhD, and the VP for product management is a software guy. Something's missing. Where’s the CISO?


This is a company who built a supply chain business helping airplanes get off the ground and fly to maximum profit. They offer brokered repair services, parts, even some manufacturing, yet there's no CISO to be seen, nor anyone with security experience. As surprising to me is knowing that the supply chain industry is probably the weak link in the development of any major product --including airplanes, and looking at their conference agenda for 2012, and their upcoming 2014 (2013 isn't posted for some reason), there's a ton of information about production, supply chain management, efficiency, etc., but not even one mention of protecting data in this critical infrastructure supply chain to the aviation industry.
So here I sit, preparing my slides for the upcoming Nordic Security Conference in Iceland next week. My topic? "Seven Common Processes that companies use to protect themselves from advanced threats - How great companies survive (thrive) in today’s threat landscape” and then I shift gears back over to do some cursory research for my blog I find this supply chain exchange company (did I mention they were built and owned by the major carriers) doesn't have a CISO mentioned in their leadership page, doesn't mention security at all in their web page, and their annual conference includes a volleyball tournament, but no mention of how companies will keep components and airborne networks safe from hackers onboard with pineapples, or protect the internet-attached CVS repositories where the chips are built before they're loaded into cockpit gear, mess with schematics for the autopilot, or even more simply, protect from reroute and confusion in the ordering process by gaining EDI access at an unsuspecting mom and pop shop who happens to manufacture critical components (yes, small companies make important stuff for big companies all the time!).

This aviation question is a great example, but one of many; it seems to be a question asked in other industries as well. It seems there are others...

  • There was a great talk given at DEFCON about hacking the CAN in cars.. the CAN is the local controller area network that networks all of the sensors and computers in your car.
  • We spoke with a security intelligence organization last week who told me see beaconing from smart devices in operating rooms --coincidently, I had the same conversation with a tech-savvy cardiologist just a few weeks earlier!
  • Dozens of companies are in the news weekly --many manufacturing high end technologies. Can we assume that the machines that hold the code that's getting burned into chips destined for printers, copiers, medical devices, heck our refrigerators, won't phone home when turned on?
  • CBS News reported on an overseas networking company building espionage capabilities into our networking gear.. the same gear our infrastructure is built on.
Supply chain and interconnectedness is important... REALLY important. In fact, it's critical. So how do we get the word out to all of these companies? Many of them small (like to our aviation supply chain company) must focus on sales and productivity. Security? It costs money. But these guys are the backbone of our economy!!  I'll ask the question again...
SO, WHERE'S THE CISO???


With so much riding on data availability, integrity and confidentiality; with the government writing DFARs mods on nearly a daily basis requiring companies to prove information security (and report cyber events to them when they occur); when a guy stands in front of a crowd and talks about hacking cars through their onboard networks, and you can’t swing a dead cat without hitting someone who’s threatening our privacy, the CISO becomes a major competitive differentiator.  

 The CISO should be out front. "We have one, and he's (she's) brilliant!" "Yes, we care about our customers, and we've hired the very best."
BT BT
I know this is a long blog. I'll keep this short. We had great week.


  • Our first Federal Agency joined Beadwindow (our private | public portal) this week. I’ve known these guys for a while. In fact, I used to use them to fact-check my DC3 team when we were just starting out! Welcome!
  • We had two meetings with prospective members and brought one more private company (the CISO of a security company) into Beadwindow.
  • Even with the team working nights supporting TIAD (our Threat Intelligence and Analysis Database) training overseas, we managed to continue developing cool tech, the portal is busier than ever, and now, heading into post-summer, the phones are starting to ring again! I was starting to feel a bit like Rip Van Winkle.. time to wake up, old man!
  • Fusion Report this week but we're building out our linguist team --we got our first Romanian speaker onboard, a new Russian linguist and just posted three new priority intelligence reports (PIRs). PIRs are short pieces that we find interesting, and that offer fast turnaround analysis for instant situational awareness when something looks important.

    • Defcon Talk on Car Hjacking - I LOVED this talk btw!
    • Androit Malware
    • Ministry of State Security's new Lhasa office
Our members will be reading these as we speak. You could be too. Call us.
Have a great week!
Jeff
Posted by at No comments:

Saturday, August 17, 2013

Antitrust to cyber is like a wooden stake to a vampire...

Last night we posted an intelligence analysis report (IAR) in response to a question from a member of the Oil and Gas industry. What started with a simple question in the Red Sky portal, blossomed over the last two weeks into a full discussion with roughly half dozen of our other members and two of the Red Sky analysts, and then into a formal report, detailing the members of the group attacking the Oil and Gas companies, targeting associated with their activities, how they went about their business, and relative (or not) successes in their exploitative activities. In this case, the attackers had little success, but as we track them, we'll see the groups tactics change (likely get cleaner, more efficient and more effective). The Oil and Gas folks will already know them and be ready for them. And when the group decides to begin targeting other industries, our non-Oil and Gas company members will also be prepared.

This is the power of information sharing. 

Information sharing works, but only under specific circumstances:

Reform Cyber Antitrust. Antitrust to information sharing is like a wooden stake to a vampire.
I've been operating in this (information sharing) space since founding the Healthcare ISAC in 1999, and every company I've ever dealt with, when sharing information (above the 'doer level') worries about what their antitrust liabilities will be. Lawyers threaten of jail time when talking about sharing information with others, and when that information might lead to competitive advantage.

So here it is (Congress). We need to figure this out. Companies who share information about their cyber issues could face massive legal implications. Companies who don't, do face extinction.

 Open and honest comms are a must. Anonymity doesn't work. 
In 1998, PDD-63 called out the US Critical Infrastructures. As a result of this new understanding of the critical infrastructures in the US and their susceptibility to cyber attack (we didn't call it cyber back then), Information Sharing and Analysis Centers (ISACs) were formed. The basic premise was this.. one company has a computer get attacked/breached. The company could take the lessons learned and anonymously submit those lessons learned and submit them to an aggregator who would perform triage level analysis and forward the results to the entire critical industry. ISACs popped up everywhere. I believe at the time, there were 13 critical infrastructures. A financial services ISAC was formed, water, energy, etc.  In fact, I founded the original Healthcare ISAC (here's a link to the wayback machine from the original post in 1999) on a suggestion by Alan Paller at the time.

In the early days, the idea of anonymity worked. Attacks occurring in member networks were not all that sophisticated (although at the time we thought that they were!) and anonymously sharing information about an attack on one system was simple to do. Today however, when one attack occurs, it's more sophisticated. Account takeover, stealing drilling data from our Oil and Gas folks, military fighter data from defense companies, breaking into a Mercedes dealer for their customer list... whatever the reason, attackers are employing tactics that simply weren't used in the mid 90s.. CISOs must understanding that an attack no longer effects just one machine, but potentially thousands, and that simply submitting an anonymous post to a list just doesn't work. One attack profile can be used in multiple ways depending on the circumstances. One piece of malware can be modified thousands of times, but it's still the same malware doing the same functionality as the very first.

Analysts need to be able to talk. Context must known to be able to troubleshoot and understand the cause-and-effect of the attack. It (context) must either be provided by the submitter or extracted through Q&A... And when context is extracted through open conversation, the results are amazing.

We must remove the mental barriers. Attackers collaborate. So must we.
Out of the (18?) ISACs today, only one that I'm aware of, has any kind of open conversation about cyber attacks --but it's not across the membership. It's across a very small subset (less than a couple dozen) of the very large membership (thousands). Why? Because the community, like others, has members with varying degrees of capability; because knowing about what's going on is very different than actually being able to do something about it... or even detect it; because members of afraid of anti-trust; because CISOs inherently don't like to talk; because if a regulator is in the room, they'll be an investigation; or worst of all, because simply being a member of the ISAC checks the block that shows you're doing due diligence.

There is hope. 
There are loads of CISOs who get it. Many of our Red Sky Alliance members are members of both an ISAC and Red Sky Alliance. They participate in multiple forums where information is exchanged -and they compare notes in our portal. They've seen how open discussions produce FAR better, more actionable results (and ROI on their membership fee) than simply sending and receiving anonymous submissions to an aggregator or participating in an email list where pseudonyms are used to hide member identities and operational security practices are always suspect. Why? They get the best of both worlds. They get the benefits of the anonymized ISAC submission process, government CIPAC interface (if they choose to use it), and from Red Sky they get full, detailed analysis and actionable information.

BT BT

Coming off the soap box, we're gearing up for the post-labor day workload. Summer is nearing a close and it's getting busy!

  • We posted our latest Intel Report was posted (mentioned above).
  • We posted a second analytic product, authored by one of our interns. She's a UT Austin student in her third year.. bilingual in Japanese and English and a dual major -computer science and journalism. She can really write! And when she's ready to graduate, we'll introduce her to the membership. She's very good and we love reading her analytic products!
  • We've been working hard on some new tech. As our community grows, so does the need to capture backend information. Our folks are, as we speak, heading for Japan for the first unveiling and beta testing with one of our members. 
  • And last, but certainly not least, we welcomed a new Forensic Examiner to Wapack Labs. Chris Wierda recently graduated from a BS program in Forensics at SUNY Erie County. He's an Army Vet and a Manchester native. We're glad to have him join the team!
Until next time,
Have a great week!
Jeff

Posted by at No comments:

Saturday, August 10, 2013

What about Data INTEGRITY??

Whew. Just back from vacation and could easily have taken an other ten days! I hightailed it from Maine to Maryland on Monday, arriving after midnight following long delays on the NJ Turnpike, only to turn around on the train and head for NY on Tuesday for the SINET conference at the Columbia Faculty Club. Robert absolutely knows how to put on a conference!

I arrived a bit late, but sat in every presentation and panel all afternoon. And one thing I found most interesting --a theme -- "I just skate to where the puck is going to be, not where it has been" (Wayne Gretzky) [Note: I originally misquoted this. Thanks Lux! I stand corrected!] seemed to emerge as a theme in the first panel after lunch. Interestingly enough, the panel was four folks from the business development and sales side of the house at four large defense contractors all vying for the best non-pitch pitch to the government buyers possibly in the room. The thing I found most interesting was this.. when asked "where is the puck going?" we heard standard answers --one stated that he didn't expect to see desktops next year rather mobiles and pads (really?!). Another talked of more virtualization (genius!). Yet another talked about different things he thought he'd be selling to the government in a year or so. This is exactly what I'd hoped to hear.. out of the box thought from industry leaders! Visionaries!

Is this really where the puck is going?! This is an Infosec conference right?? I hate to think these MAJOR government contractors can't think more than a year or two out. Why do I say this?

Here's what I worry about:

Short term (next two years) - in (my) priority order:

  • Unsuspecting supply chain companies unknowingly (or knowingly) being whacked. Hell, I'm not sure we've got any safe intellectual property left! If it's connected to the internet, you better start thinking about how you're going to replace it. The tube of toothpaste has likely (high probability) already been squeezed, and it ain't going back.
  • Data integrity - I worry about this one the most. I think about it almost every day. We've lost confidentiality already. How will we make our data tamper-proof, or at least know when mods weren't made by legitimate users?
  • Physical losses from data security breaches - Espionage has turned the corner to sabotage and availability. While not completely lost, availability and sabotage are hugely problematic. Ask any company who's computers are destroyed by a breach or a product who requires constant patching because of lost integrity. 
  • The complexity driven effects, transitions, policy and legal consequences of BYOD forming, storming, norming and finally, performing. I'm not sure we've hit storming yet and BYOD challenges are hitting us square on the nose! 
  • Cloud hacking - Why rob banks? That's where the money is! - Cloud is becoming a rich target. 
Longer term (2 years and out)
  • Data integrity again. I used to be a Naval Officer working in Information Warfare (as it was called at the time).  Information Warfare was pretty straight forward.. make an adversary lose confidence in his data.  When data integrity is lost, and variances can't be measured, every chip, piece of code, and transaction will be suspect. Would you fly on an airplane if you thought the onboard computers were hacked? Would you drive a car? What happens when computer networked machines get bad instructions, or chips have bad code burned in because the production processes were compromised? It's not a pine cone that just bonked you in the head. This stuff is coming.
  • The infrastructure is lost. Everybody has tools to monitor Windows machines and grab pcap, but what about the routers, call managers, printers, VoIP phones, etc.
  • Service accounts to these devices, and those baked into domain crossing horizontals are the some of the hardest to protect for. 
This stuff is cancerous and systemic. It's what I worry about. Not rocket science, but it's where I believe the puck is going. 

How will you know? Great situational awareness. How do you get great situational awareness? You watch the radar, listen to the sonar, read every intel report, and you constantly compare notes with the picket fence set up by the rest of the fleet and joint forces you're connected to. You update your intelligence, and act on the risk.

How does this happen in cyber? You baseline your tools and infosec processes to give you the best chance at detection (and prevention). You train your staff to know what to do when... You subscribe, read, evaluate and act on as much as you can or need to. And you talk frequently to others in Red Sky or Beadwindow!

 BT BT

It was a fairly slow week but productive as heck.

  • Two Priority Intelligence Reports were posted to the portal --one discussed ATM hacking and another an APT group associated with the ATM hacking. Priority intel reports are what the IC might call IIRs. Red Sky analysts have a list of priority and standing collection/analysis requirements, and when we find new pieces of the puzzle, we publish them to our members. 
  • A fusion report was posted earlier in the week. FR13-21 analyzed a previously reported backdoor, but with intelligence and good tech work by the team, we reported details of the infrastructure and a new version of the TTP in use and their associated indicators. 
  • Beadwindow has reopened. We've realigned the portal for it's new mission, and have invited its first member --who's already filled out a profile! Beadwindow will be used to service individuals, small and medium sized business, and government IT workers (2210s). 
  • And finally, in the lab, we're preparing to go into our next healthcare gig --an online pharmacy. 
One final note...

It's coming up on Labor Day --the end of summer; four months until years end. If you've been thinking of joining either Red Sky or Beadwindow, the time is now. In most cases, it takes 3-4 months to get checks paid by your accounts payable, and if you join us today, you'll get 2012 rates for your first year. Don't hesitate. Want to know what we do? This is our 42 second video...

Take advantage of the 2013 pricing. Contact us today. 

Until next time..
Have a great week!
Jeff


Posted by at 1 comment:

Friday, August 02, 2013

Zero Day on the Mountain

Last week, I attended a lecture by Robert O’Harrow, a reporter on the Investigative Unit of the Washington Post.  The topic of Rob’s presentation was “Zero Day:  The Threat in Cyberspace.”  The presentation was held in a concert hall that held 560 people and it was standing room only.  This may not appear out of the ordinary for an INFOSEC group, but this event was held in Steamboat Springs, CO.  There were no INFOSEC professionals in the audience, only very interested people, who took time off from recreational pursuits to learn about what is threatening their personal computers and email accounts.

I had already purchased Rob’s book ($2.99 for the Kindle edition) and read it before his lecture.  His talking points followed his chapters and he geared his presentation to the audience.  What amazed me, was here were over 560 people who gave up their late afternoon time to learn about a topic that is threatening all aspects of their lives from their personal bank accounts to whether the local electric utility could lose control of their systems and services.  When the presentation and Q & A session was over (Questions like “why you should not use your cat’s name as your password”), I listened to members of the audience exchange personal experiences of what attempts had been made to harvest their personal and financial information.

What I was hearing was a microcosm of what we are doing for our members at Red Sky Alliance every day. People who knew each other from the community were asking questions and informing each other of the attempts that had recently targeted them.  We see these in our email accounts every day, and I was elated to see a group of informed computer users sharing their information with others.

BT BT

Jeff is on vacation this week, but he still held a prospective member presentation with me on Tuesday morning.  We had another one scheduled for tomorrow and I didn't him him to a third one on Wednesday morning.  He needs some well-deserved time off.  Even though it is the peak of summer vacation time, we are still receiving requests from leading corporations to learn more about our alliance. 

On a daily basis, another group is gearing up again and again to attack another industry segment that affects our daily lives, why not join our team share in the information that our members already know.

Until next week,

Jim McKee
Posted by at 1 comment:
Subscribe to: Posts (Atom)