Red Sky Weekly: SkiCon, Advanced Persistent Trout '14?

I was invited up to Sugarbush for the weekend. I'm heading out in a few minutes, meeting a small group of CISOs and Infosec friends for a weekend of skiing, a rented condo and presumably a bunch heavy hops IPA. It's going to be cold, but the skiing will be great, and after-skiing will likely be better. In June, it's going to be fly fishing for a week on a river in the Tennessee Valley with another set of Infosec friends. One of the guys reserved a house with 2000' of river frontage and a guide to show us the right fly patterns for the native trout.

Why am I talking about skiing and fishing? Because these are friends. We call each other when we need something. We've followed each others careers over the years as we each mature into more senior positions, and now, we're skiing, fly fishing, and having a few beers.

So let me ask you a question. When was the last time you asked for help from a perfect stranger? During your last bout with wekby, APT1, or the massive loss of credit cards, did you Google for help and call someone you didn't know? Or did you ask a friend who they'd recommend first... or better yet, used themselves?

These same circles of friends that that I'm skying with tomorrow and fly fishing with in Tennessee in June are the same people I've all called at one point or another; and they've called on me. We've compared notes, shared incident response hours (many, many hours), begged for budget, screamed at each other over the conference table and played Guitar Hero in the middle of the night.. blurry-eyed from a dozen hours of analyzing pcap during the early days of APT --and two of the guys I'm skiing with tomorrow are founding members of Red Sky Alliance.

You see, people don't call strangers for help. They call friends first. Then they call those who've been recommended by friends. Yellow pages can't help you with cyber, and Google only gets you so far, so when you need help --finding the sleeper in your networks, pulling forensic images from all over the globe, begging for overtime for your team, or explaining to your CIO why you made your network an island when you watched the shift from the access team to the intel team --even for only a short period of time, and I'm betting a dollar that you won't do it without knowing what others did first, and the guys you ask first are your trusted friends in positions similar to yours, in companies you can point back to as credible.

And to add to that, most people I know in this space prefer small circles of trust. Thousands of people in a low-cost high volume portals, sharing information anonymously may give you that warm feeling of satiation (due diligence?) when you're gobbling IOCs as fast as you can shove them into your intrusion prevention systems, but there's a very high probability that much of the information you've stuffed into that little red box isn't going to do you much good. So what happens when you've spent all that money, and you've made your network an island, and your IPS screams for better stuff, and your team is burning out, but your CIO hasn't got anything left for you? Who are you going to ask for help? Here's an idea. Ask first.

Small trusted circles are WAY better than big... when we first started working APT issues (in about 2006), we were three companies under strict NDAs, sharing notes. That three company circle expanded to about a dozen who really knew what they were doing, and when it came time, we all helped each other. Many today consider that small group of highly trusted companies an amazing force multiplier. Most will tell you that they could never have hired all of the talent that they needed to fight the fight without sharing expertise in the then, first of it's kind, full attribution information sharing environment.

Wait. What? Full attribution?

You bet. Attribution and peer reviews keep even honest people honest.

Red Sky Alliance today is about 35 large enterprise companies. Those 35 companies all have highly mature information security teams that know what it takes to deal with the problems we all face, but only a few know how to survive. Not one of them has their head in the sand. There's no BS. They just help each other.

So, let me ask the question again.  When the stuff hits the fan, who will you trust?

Me? I'm going to ask my friends.

If you'd like to ask my friends too, drop me a note. We'll get you set up.

BT BT

Even with most of the Infosec folks I know at RSA, it was a busy week. Heck, maybe that's why it was so busy. Bad guys know that the the infosec teams are in San Francisco!

• We don't typically perform victim notifications, but this week we were forced to notify two national CERTs of compromised accounts that were leveraged as part of an ongoing campaign from a known cyber espionage actor. Red Sky is currently receiving a number of APT spearphishes first hand though a collection of proprietary honeypots placed in very specific locations. Our members receive very fast notification of very early malware -often times, beta. In several instances we've been able to post mitigations within minutes of the honeypot capture! For those using spam defenses at the gateway, feeds from this data set can be pumped directly into your Ironport or other similar system.
• This week we released FR13-006. This fusion report detailed recent campaigns leveraging an IE vulnerability described in CVE 2014-0322. The report described malware artifacts involved and provided tailored mitigations for a widely used RAT.

We're pushing hard to get Allagash up and running, and with the exception of one last change, we're ready for our first beta testers to jump on starting Monday. We're looking good. Our goal is 20 beta users. We're about half way there. If you're interested, sign on to our constant contact list. When your name comes up, we'll drop you a note.

Last, but certainly not last, our Threat Day is coming up in just a couple of weeks! We're doing cocktails the night before, with a day of presentations the following day. These things are always great, but we're going to have some fun with the National Security Fellows from the Harvard Kennedy School on the night before. I'll be great exchanging ideas in the old mahogany Commonwealth Bar. Smart folks, the Red Sky membership, and liquid brain lubrication. How can this not be fun?!

Ok. Off for now. I've got to get my skis on the car!

Have a great weekend!
Jeff

Red Sky Weekly: The new normal.. it's here!!

I spent a couple of days this week in Stockholm. Thanks to the IDG folks for having me over. Stockholm is one of my favorite places in the world, and I'll rarely turn away an opportunity to visit.

During the conversations, something struck me. Presentations rarely offer the audience a solid take-away. Rhetoric, 'I'm smart', and marketing often trump "go home, and do this". The funny thing is, while I enjoyed the presentations (as much as I could.. many of the decks were in English, but the audience and speakers used Swedish), conversations revolved around two things... lack of a call to action in the presentations, and the impending changes to EU privacy laws in 2016 (companies face a 5% fine if caught with PII violations --5% of their total revenue!).

And then I had a conversation with a guy who works for IBM in the UK. Great talk. Smart guy. His talk basically presented findings in their October trends report, and while much of it I'd already known, IBM handles volume. In their own networks and in their global services group. X-Force isn't as well known as they used to be (because they're now IBM), but they published a report in which one graphic hit me like a ton of bricks. 

http://public.dhe.ibm.com/common/ssi/ecm/en/sew03031usen/SEW03031USEN.PDF

IBM (presumably X-Force) says that 23% of all of the attacks that they track are Advanced Threat, Mercinary, or Malicious Insider. The graphic is a grainy picture taken during the conference, but the full report, the link to the full report and better graphics, is shown below it.

Why would I mention an IBM report? Because it shows clearly that we've moved into a new era.

A whopping 23% of the attacks that IBM reported are what we believe are "Targeted Attacks". 38% in all are what others call "Determined Adversary". These aren't kiddie-scripters folks.

It used to be that we talked of the "one percenters".. one percent of the companies knew about this stuff. Then the top 5%, then 10.. now 38% of the attacks (at least according to IBM) are the result of targeted attacks. 

Why is this important? Because I still hear-tell of companies worried only about compliance! PCI, HIPAA, and now throwing in the kitchen sink with new DFAR regulations requiring government contractors to report. If compliance is your only motivation, at 38%, you need to start keeping up on the new normal.. and at 38%, that's exactly what we're talking about.. Welcome to the new normal.

What does that mean to you? We have a solution.

• Red Sky's social network caters to more mature information security teams. They want DATA. But at the same time, they like the idea that we turn the chaos of some of the social conversations into usable, analyzed intelligence. 
• Don't want to participate in the collaboration? Hire Wapack Labs to do it for you. We don't think of this as a subscription service. All of our reporting is tailored to your company. Why? Companies are like fingerprints.. every one is different... different operating procedures, different infrastructure, mission, product --and information needs.
• Still to much of a commitment? Consider Allagash. Allagash will let you log into a web page, ask a question, and we'll tell you what we know.. starting at $35/month, you'll have a fast and easy diagnostic tool. We're beta testing starting next week. So far so good. Drop us a note. We'll be happy to run a demo and get you signed up for the beta.

So I'm going to close out this week with a couple of short thoughts..

• Allagash is coming along nicely. We ran a test sample against our internal version last week.. a 4T sample. Obviously not through a web query, but our engine performed really well. Several APT groups, criminal activities, and a bunch of non-targeted information was identified. Our first beta customers come online on the first of the month. I'm looking forward to it. I think we have about a dozen people interested in beta test accounts. It's small, but our first shot. Interested in being an early adopter? We've got a list going. Sign up here.
• Our Red Sky threat day is coming up soon. We're hosting it at the Harvard Club of Boston with a cocktail party the night before. We've invited the current class of National Security Fellows to join us for the evening, and we have sponsors signed for our first-ever sponsored event. This was new for us. So far, so good. We'll see how it goes. Interested in sponsoring one of our events? Contact Steve Hunt for more information.
• Last, we've got two guys at RSA this week. I'll be in the lab, but Rick Gamache and Steve Hunt will be wandering the floors. Rick is Red Sky's CIO and Steve heads up community engagements. Reach out directly if you'd like to have time with either... or grab a beer!

OK folks. I'm cooked from travel. 

Have a great week!
Jeff

Red Sky Weekly (2/15/14): Introducing Allagash!

What is APT? What exactly does the term mean? Where'd it come from?

So I'm here to set the record straight...

(Then) COL Greg Rattray, now co-Founder and CEO of Delta-Risk, coined the term APT in roughly 2006 while crafting the (then) Air Force Partnership with Industry Program. APT, although absolutely meaning Advanced Persistent Threat, aptly described the problems at hand at the time --a phrase, which described the traits of the attacks/attackers/problem sets we were facing, but more simply, APT was nothing more than an unclassified term/phrase used to describe what we all knew (then) to be a classified set of circumstances. Bottom line? Other than a simple description, APT allowed us to talk at the unclassified level about problems known mostly by those in the classified realms without using the real names.

Today, APT has morphed into something much more. Bastardized, branded, marketed and abused, APT is a generic term used to describe the problems chased by the most paranoid. In all reality however, in nearly every case, when we bring someone to the lab, or do a presentation, APT has a very different meaning. It's still a generic acronym, but it's used to describe state sponsored cyber based espionage activities. When we use the term APT, we also include "Targeted Attacks" or "determined adversary" to describe those attacks not necessarily state sponsored, but very much in line with the same kinds of TTPs, and in many cases, some of the same actors.

Now that we've set the record straight on exactly what APT is and what APT isn't, we can all use the same dictionary --right? Of course.

So who/what exactly does APT encompass? Espionage actors from all corners of the world. Originally used to describe attacks from a very large country on the other side of the world, APT now includes actors from dozens of locations and countries all building and acting on offensive or espionage focused cyber activities. Could APT be used to describe US activities? Probably! I'd laugh and say that stuxnet probably puts us squarely in that category. But at the same time, dozens of groups act in this capacity --some state sponsored, others state contracted, many more up and coming. In fact, when I present today, I tell people that they should expect the worst in the future....

Why? Because as we track the explosion of new state sponsored cyber activities (there are several --we, Red Sky Alliance, have a junior analyst tracking this routinely), we know one thing -future cyber wars (we don't consider todays espionage activities to be war), are not going to be fought military on military, they'll be fought military on population. State sponsored cyber warfare will follow many of the same processes followed in kinetic warfare today, except in cyberspace. Energy producers, command and control, finance/logistics will all be targeted directly by actors from all corners of the world aiming at making it easier for physical access or troops. Be ready folks. The sky's not falling today, nor will it in the future, but as cyber military operations mature, collateral damage will include computers burned, infiltrated, and controlled by enemy actors --in power plants, telephone systems, cellular operators, port operations, healthcare, logistics, consumer electronics (think phones, pads, user devices, possibly appliances, 'things') and more. Targeting via cyber space is far easier than reaching out with airplanes, troops, and ships --with far less risk and a broader set of targeting will allow militaries the ability to affect a lot more than they do today.

Why the lesson in warfare? It's not normally my style to offer gloom and doom scenarios, but folks I'm here to tell you, it's only going to get worse before it gets better, as we achieve the new normality of future warfare. Every company and every organization will be affected. More likely, preparations will occur well in advance of the start of any conflict.

Companies today have MILLIONS of vulnerabilities. Attackers have every advantage...

How do you stay ahead of this?

Keep your head on a swivel - watch the horizon for threats:  I refuse to quote Sun Zhu, so lets try this... Anyone with a daughter can tell you that watching the environment is key to protecting her.. so think of your networks as your teenage daughter.  She doesn't know better. She has a ton of weak spots. And boys will come around. In cyber, pay attention to the threats. How do you know the threats? By talking with peers --hopefully mature peers who can guide you through the process of preparing your networks and helping figure out where the most likely, most serious threats will come from.

We realize not everyone can consume intelligence, so we've come up with additional offerings. Between the alliance and the lab, and now a web based tool called Allagash, users who want as much data as possible can get it. Those who want simple diagnostics can get it.

Red Sky Alliance: Red Sky Alliance hosts a group of very mature infosec teams. These guys want a LOT of data. They want all the context, and although they like our analysis and intelligence reporting, they generally want to create their own and much of it is obtained through sharing information in the collaboration.

Wapack Labs provides services for those who need, and can consume intelligence, but may be either to busy or don't feel confident in participating in the collaboration. Even when users engage Wapack Labs, they generally sign on with Red Sky Alliance as well. The lab helps them separate wheat from chaff, and the Alliance helps them with situational awareness.

And now... Allagash.

About five years ago, I sat with a VERY large defense contractor as they were considering go-forward strategies for dealing with their very first APT experiences. The only detection tools they had at the time were a help desk, and anti-virus. I offered a suggestion... what if I could give you a short set of diagnostic questions that a technician could ask during every help desk call? We came up with a set of about a dozen diagnostic questions that every tech answered during every help desk call. An escalation flag was set so the tech knew when to escalate, based on the diagnostic questions he or she answered. If three or more indicators were present, the help desk automatically escalated to the (then) two person Information Security team. When escalation tickets started piling up, the Infosec team was able to justify requests for funding from the affected businesses. 

As help desk escalation tickets grew (quickly) so did the infosec budget. 

So I thought.. why not offer a diagnostic tool, at a low cost (about $35/month per account), that could assist help desks with diagnosing APT, targeted cyber events, and other kinds activity?

Allagash: Allagash is for those who need fast diagnostics and clean information.  Simply cut and paste logs, system inventory information, files, IP addresses, etc., or upload a .txt file into a web based tool.  If anything matches things that we know about, we'll give you a list of what to look for in a very simple output; and if we know, we'll tell you which APT set it belongs to. In fact, we sold our first five early adopter accounts to a local company called MyCloudCure.com --a premium help desk service built by the folks who ran the help desk for the Dartmouth Healthcare system. They'll be coming on with the lab on March 1st.  Allagash aint sexy. We're starting small and offering inexpensive early adopter service. Don't expect graphics, correlation engines, or spinning whoopee pies. Allagash is meant for fast diagnostics of bad stuff, offering a simple, but very usable output.

We're looking for about 20 additional early adopters who'll be offered early adopter pricing as we mature our processes.

Interested?  Sign up here 

We'll offer seats on a first come, first serve basis starting a the top of the list and working down.

BT BT

It seems everyone this week was flat out. The portal is busy, membership requests were coming in like crazy, and I had the opportunity to talk to one of my former DoD customers' supply chain partners about how to think about the new Defense Federal Acquisition Requirements (DFAR).

If you didn't know,  DFAR now requires prime contractors to sign off and attest to the security of their supply chain subs. This is a pretty tall order.  Personally I think that if the government doesn't trust the security of a company, well, don't buy from them! From the prime's perspective however, their subs are going to need help.. both intelligence (remember the daughter?) and a partner who can help them go from 0-80% as fast as possible. It was a great talk, but these guys are in for a real eye-opener. We're here to help. Red Sky Alliance for those with mature infosec teams. Wapack Labs for those who prefer tailored subscription intelligence and analysis, and Allagash for those who only want to query a web based tool for diagnostics.

Want to know what that supplier looks like before you attest as prime? Are you a sub wanting to check your systems before the prime does? Send us a system inventory of your supplier and we'll tell you what we know! We're chugging through a 4T drive as we speak. It's roughly 30 days of stuff from a 75,000 person company.  It's bigger than what we normally do, and it takes a little time, but we'll be providing diagnostics back to this company in the next week or so.  

I love my job!

Until next time,
Have a great week!
Jeff

Red Sky Weekly (2/8/14): We NEED Intel!

WE WANT INTEL!  WE NEED INTEL!

We hear this a lot, and at the same time, I know for a fact that even if I gave it to them, they wouldn't know what to do with it!   Last week I met with several companies, but one of them was a five person company; another, 30,000.  The five person company had the ability to ingest intel. The 30,000 person company did not. ...but they wanted it in the worst way.. they just didn't know why.

An organization's ability to consume, process, and actually use threat intelligence is directly proportional to the maturity of their information security processes. Let me explain.

At the highest end of the maturity model, let's use CMMI-CYBER for kicks. CMMI uses a maturity model that runs from none, through level 5 --optimized and automated.

At maturity Level 5, APT is just another thing. At Level 1, companies know about it, but have never really done anything about it.

So here's what I know... at L5, companies want enormous amounts of data. They inspect and analyze everything. No packet goes unscrutinized, and every link and attachment is checked before entering the networks. These guys don't use your father's security tools. They use high speed, home-grown sensors on their networks because they don't trust the tech in stuff you buy (nor should you!), and the idea that they want to evaluate EVERYTHING that enters or leaves your network becomes a reality... all while keeping users happy and clicking away (it's gonna happen!). This is maturity in Information Security. It occurs when APT events become the new normal.

L5s use an assortment of these home grown proprietary tools that allow them look into even the darkest corners of their networks. They know their network. They know how and when changes occur and how those changes affect operations. These guys need data. Intelligence keeps the their blood flowing. SOC members at L5 companies compare data in their networks to intelligence and IOCs in real time. They realize that the IP address they're looking at both serves up DNS and at the same time, opens a hole in their network. How that address is used is context. How it's going to be used in the future is intelligence. Intelligence matters because that L5 company will evaluate every piece of information that they get to manipulate and defend their network. L5 companies are efficient. They're constantly watching their external environments to know how it will affect their internal.

L1 companies on the other hand don't monitor their network. They rely on their "firewall" and maybe they have anti-virus running on most machines. Grandpa, who runs the company, believes he's safe. Like a moonshiner sitting on the porch with a shotgun, he knows that that 10 year old firewall protects his largely flat network. It's funny. On the train back from NY the other night, I watched a guy write a presentation. I couldn't help it. He was a big-4 consultant working on the train. He was writing a document on mobile use in the enterprise... on his Windows XP machine. He'd been onsite at a customer location, and worked over remote access to his employer, on a machine whose operating systems were never built for security! This guy was remoting home on KNOWN COMPROMISED VPN. The L1 company doesn't need intelligence. They wouldn't know what to do with it. They're issuing laptops with insecure operating systems. Their networks are undoubtedly unmonitored. Certainly the VPNs weren't (spoiler alert.. it's one of the favorite vectors of entry!).  L1 companies rely on others for security.  They don't need intelligence. They need information, training, and maybe a little help.

At lower levels of maturity, companies make the mistake of becoming voracious consumers of IOCs. The IOCs get loaded into defenses, or they'll get loaded into individual hosts (computers) until users scream because their systems are slow. Don't confuse hash values, IP addresses, SSDeep hashes, and regex strings with intelligence. They may be, but consumers of these IOCs need to know the difference and how to use them effectively. That difference comes from maturity, and if you don't have it, or don't know where to get it, you're headed for a life of trial and error and whack-a-mole... (a problem pops up and you whack it... over and over and over and over...)

Intelligence is analyzed information that helps aids in decisions about futures. 

Do you need IOCs for your UTMs, IPSs,  HIPS or DLP? Are you evaluating PCAP and need context? Are you preparing to open a conversation with your CIO or CEO?  Or are you working on your current posture trying to figure out what to do next?   There's intelligence supporting decision-making in all of these scenarios. In every case, intelligence will help you evaluate your current posture, identify the gaps in that posture, and make decisions about how to move forward.

BT BT

I spent last week on the road, and the team was flat out. We're chugging through a nearly 4T chunk of data in a triage experiment, at the same time, writing reports for the FS-ISAC and Red Sky Alliance. We're a small team. We love being busy. I had the opportunity to present to the Vigitrust team in Manhattan. Fun day!

Inside Red Sky...

• This week we held our monthly threat call.. jump on the call and interact directly with other analysts. We hold weekly sessions by phone to understand priorities, but once every month we jump into a deeper dive of some of the reporting that's been posted. 
• Sykipot resurfaced. Older versions still show up now and again.
• One of our interns profiled yet another group of attackers.

Upcoming? We're hosting our quarterly threat day in Boston in March. We've invited the National Security Fellows from the Harvard Kennedy School to have cocktails with the membership during the night before. There are probably better names, but we call it Booz'n and Brainstorm'n. The NSFs are asked to bring a couple of hard problems to generate conversation. Our members will do the same. The NSFs are heading into influential positions in government. Our members are influential people in the security space, and do share a lot with the government. This should be a great night. We're hosting the "BnB" at the Harvard Club of Boston, with threat day held, for the first time, at a local hotel in Boston.

Enough for now.

Have a great week!
Jeff

Red Sky Weekly: Developing your security plan? Try this simple exercise.

On Wednesday I had the misfortune of telling an attorney that his client had been breached... and breached bad. We discussed what would happen next.. how would he approach the problem. And do you know what he told me?

"I'm going to my security team." Good for you! I said.

And then he told me --"not the information security team; the physical security team." Why? I asked.

"They know people. And they can work with the information security people. Information security guys know bits and bytes. Physical security people know bad guys."

Wow. What a perspective! I've heard tell of converged security teams, and while some efforts have been really well done, as many seem to fail. To have this attorney, a pretty computer savvy guy in his own rite tell me he'll talk to his physical security guys before his information security team.. it hit me like a ton of bricks! It's easy to fall into a rut and think like the good guys, but isn't it just as important to think like the bad guys? How do we get information security guys to think more like the bad guys, but still use good business process?

When was the last time you took a realistic look at how bad guys might actually come into your network? Does your pen tester follow a script, or plug a wireless air freshener into your conference room, or pineapple in the coffee shop next to your office? Does he know how to exploit the print spooler or hard drive on your copier? When was the last time someone reviewed your DNS logs for persistent connections and larger than normal packets, monitored for command line net commands, or scoured your network for rogue virtual VPN concentrators behind your DMZ???

...thinking like a bad guy. Acting like a good guy. How, you ask?

Try this simple group exercise. It'll help your team get past their good guy mentality. It's fun as hell, and is a VERY effective tool for brainstorming, cataloging, and prioritizing. Be creative.

• Take a couple of hours with a few of the most devious folks you know it your infosec circles. These can be coworkers, but don't necessarily have to be. Grab a beer and start brainstorming. I like using sticky notes. Pass out a bunch of them. Each sticky note gets a single scenario. What's a scenario? It's a way someone might threaten, access your network, steal data, disrupt your business, etc. Stick to cyber. Keep it focused.
• Post the stickies on the walls. Don't worry about where. Just get them up. Once up, they don't come back down. This is brainstorming. There are no stupid ideas.
• Once the stickies are gone and the ideas exhausted, organize them. Lump them together on the wall in kill chain format. Start with Reconnaissance and work your way through to Objectives... seven phases, all representing layers of defense in depth in your environment. 
• Now, look at your groupings. Multi-vote on the prioritization of the most likely scenarios in each grouping. This will help decide what you need to protect for first. Are there commonalities? Which do you think are more probable? 
• Start listing defensive measures for each of the groupings, at each phase in the kill chain. Highest multi-voted stickies go first. The next go next, and so-on.
• Take pictures of the now prioritized groupings with your smart phone. Print them off. Pass them out. 
• Think about your environment. How do you protect for each prioritized sticky note? 

Now, go back to your office and formulate your plan. It's a simple matrix with all of the vulnerabilities listed down the left, and the kill chain processes listed across the top. In every square, show how you've protected against that threat, risk, or vulnerability. Use Red, Yellow, and Green to depict mitigated, partially mitigated, or either not or unknown. Unknowns are white. Now go to work. You have a plan.

So, we may not understand the psychology of criminal behavior, but we can leverage simple crowdsourcing to come up with a plan for protecting our networks. This very easy and fun exercise that can be carried out in an afternoon, and is one of the best ways to get new perspectives on what might hurt you today, tomorrow or next week... and how you might prioritize and protect against these threats. 

BT BT

Wow. I can't believe January is over. I spent a night in Pittsburgh after a day with some folks who've just started a new security practice.. CBTS (Cincinnati Bell Technology Services) brought in a bunch of folks who'd been with GE Aerospace (CISO, Director of Incident Response, others) and started a new business. These are smart guys. I've been dealing with them since the startup days of of our efforts dealing with APT (eight, ten years ago now??? It seems like yesterday!). Anyway, great group of folks. If you need incident response for help on a major breach, other companies have LONG waiting lists. You might actually get an appointment with the CBTS folks!

What else is happening? The month started slow, but ended with a tornado of activity.

We're planning our outreach activities.. 

We're doing our first Booz'n and Brainstorm'n session of the year. What's a Booz'n and Brainstorm'n session? We invite really smart people. Usually a dozen or so, plus Red Sky members and the team. The price of admission for invites? Bring one or two ideas or problems that you face, and be ready to open conversation after the first martinis are gone. It's amazing how intellectual tennis plays out with small amounts of liquid brain lubrication! Our guys take notes, and we regroup the next day to figure out which ones can be acted on. It's great fun and intellectually stimulating all at the same time!

• So, what is it? "Booz'n and Brainstorm'n" 
• Where?  Harvard Club of Boston.. night before the threat day. 
• Who?  It's an invitation-only event. We've invited National Security Fellows (NSFs) from the Harvard Kennedy School and CISOs or Chief Threat Intelligence folks in the Red Sky Alliance membership. The NSFs are mid-to-senior government and military folks who get sent off to Harvard to study for a year before taking on more influential positions. It's fun to exchange ideas with them over cocktails. We did one last March with last years class. It was amazing fun! I'm very much looking forward to meeting the new crop of NSFs! 

Threat Day is coming up, tentatively scheduled for March 18th at a member site in Boston. As long as we've got members on travel, we figured we'll kill two birds with one stone. We normally do cocktails the night before, so why not do a Booz'n and Brainstorm'n session instead? Sounds like fun right?


More from last week:

• We published three analytic products this week.. A priority intelligence report (PIR), a Cyber Threat Analysis and Intelligence (CTA&I) report and a Fusion Report. PIRs are 'wolves closest to the sled'; CTA&I report is 'what's coming'; and Fusion Reports are usually analytic, usually tech focused, and retrospective in nature. All tell a story and include indicators that you simply drop into your defenses. In fact, two of our members this week told us that they LOVE the fusion reports. One said they use every snort signature. The other told us they'd won a major contract, largely because they participate in Red Sky Alliance and have access to great, deep, snort rules, yara rules, high confidence malicious mail information, and LM Kill Chain formatted IOCs. 

• Wapack Labs is finally getting through the forming, storming, norming and performing of operating with the FS-ISAC SOC. We knew it'd take time, and were hoping by mid-February to find the rhythm. It looks like we're normalizing and settling in! 

We're building our outreach schedule for the year. If you're interested in sponsoring an event (this is new for us).. contact Steve Hunt. He's heading up the effort. We're in the process of scheduling a series of webinars, regional Booz'n and Brainstorm'n sessions and several other events.

Last, we authored a country report on Iceland entitled "A Wapack Labs Assessment of Risks to Information Security in Iceland". If you're considering using data centers in Iceland as your off-shored backup, drop us a note. We plan to market this report through Amazon and would be happy to add you to the distribution list when the report goes live.

Closing out... we talked of a manual process for crowdsourcing your security planning. Need help? Scenarios? Focus? Call us. You may consider joining our crowdsourcing engine (Red Sky Alliance). No pressure, but the best security planning comes from being able to exchange information with others... inside and outside of your peer group.  If you don't feel comfortable in the portal, call Wapack Labs. We'll tell you what we think are the priorities that you need to think through.

Amazing week. I'm hoping next week is as much fun! I think it will be. We've got about a half dozen inquiries for membership that we're doing demos for, and, I'll be on the road (actually in the air) on Wednesday for meetings in DC and NYC before returning Friday morning.

Until next time,
Have a great week!
Jeff

Red Sky Weekly (1/25/14): Security is not the point.

I'd like to take a moment and introduce the latest  addition to the Red Sky Alliance team. Steve Hunt joined us last week as our new Director of Community Engagement. Steve is one week into this new world of cyber spies, APT, and organized crime.  I thought you might enjoy his fresh perspective as he jumps in feet first. 

--Jeff

BT BT

Security is not the point

Hi everyone.  This is my first blog as a Red Sky’er.  I’m starting to make the rounds, meeting my teammates and you, our members and prospective members.   Together we’ve had lots of interesting conversations, some of which surprised me.

For example, I heard one member describe his job as managing threats when his boss corrected him saying no, his job was to secure the business.  That got me thinking.

It’s an uphill battle to convince the decision-makers in any business that they need to invest in security.  Why? Because deep down, all professional businesspeople think security is an annoying layer of cost and inconvenience. If you walk in and tell them, “We need more security,” they hear, “We need more annoying layers of cost and inconvenience.”

Getting the buy-in for security products and services today means understanding what drives your company’s security purchase decisions—basically, what is going on in the mind of your bosses.  Fear, uncertainty and doubt are not the cleverest tools to use anymore.  Now businesses want something that sometimes seems like a foreign concept to the security profession: value.  If we security professionals don’t adapt and start answering the questions our business is really interested in, if we don’t stop talking about threats and instead talk about creating value for the business, we’ll never get the green light on new projects and improvements.

Remember, nobody wants security; they want the benefits of security.  That means that the housewife doesn’t want the finest deadbolt on the front door because of the excellence of its engineering or its impact resistance.  She wants a comfortable, happy place to raise her family. Businesses also want something other than security.  If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options.  She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers.  Or she could take all the money, put it in piles on the street corner under a clipboard that says, “Take what you want, but write it down so we can balance your account.” That wouldn’t work either, obviously. The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached, and give customers a plastic card for authentication and auditing….

Security was never the point.  The bank had a business objective and achieved it by using some security.  That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.  Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business.

It’s not our job to secure the network. It’s our job to secure the business.

-Steve

Red Sky Weekly (1/18/14): IRnomics 102: How much will Lifelock for 110 million cost?

Between 2009 - 2012, Target underwent an enterprise-wide forklift upgrade of their entire payment processing systems. Roughly 1700 stores (~360,000 employees) and their entire backend, were refitted, moving from a proprietary system to a system of integrated systems, virtualization, and third party processes. Few IT personnel are left in the stores, and likely no information security personnel.

According to their annual report, Target realized $2.9 billion in net revenues in 2012. I’ll be interested to see what the ‘13 and ‘14 reports look like.

There are costs to the business. Target is only one example.

Nearly any 'corporate' CISO knows the experience of asking  'the business' for money. It's part of the job. The corporate CISO becomes the vendor, having to prove his/her worth. How many times have you gone to one of those business units and hit them up for money to fund your infosec operation, only to be asked "what do I get for it?"

Welcome my friends, to the world of sales... you now have a new customer, and best friend!

Treat that internal VP like an external customer.

Become an internal entrepreneur. The formula is actually pretty simple to say but slightly harder to do. It’s why not everyone makes it to the ranks of the CISO. Here’s what you do...

• Make that internal VP a company hero. When you do your job, it should make him/her look good.
• Communicate. Find things and tell him... preferably before everyone else does.
• Don't take all day about it. Be right, be brief, and be gone.
• Use the momentum of that small win to find opportunities to find more.
• Become the trusted advisor. You'll get your money.
• It works.

A few months ago I had the opportunity to tell a CISO that one of his business units was leaking data. In fact, I gave him a bit more. I told him that the business unit in question had purchased a multi-million dollar computer aided drafting/manufacturing application from another company.  I told him that the business had purchased it several years ago, and since then, they've been losing data.

We believe the application is probably toast, and since installation, has been sending data home to someone else... important stuff. 15 Gb of important stuff that we know of. Likely a third or so of those drawings were re do's of previous work, drafts, or miscellaneous clutter, but for arguments sake, let's call this a 10 Gb loss. Let’s also assume that each drawing takes one engineer, one eight hour day to produce, not including R&D, corrections/QA, etc... 1Mb = 8 hours of labor (with me so far?)

We had hundreds of drawings. What's it worth? Let's do some math…

• 1 Gb = 1000 Mb, therefore 10Gb = 10,000 Mb
• Let's assume each drawing was 1Mb in size (1 Mb seems reasonable)

• If 1Mb = 1 day to produce, then 10,000 Mb = 10,000 days, or 80,000 hours of work.
• If true, this company lost nearly 45 man-years of work!
• Depending on the cost of your people, this could represent $4 to 5 million dollars in labor.
• I'm betting that for every 1Mb of drawings, there's a month (more or less) of engineering time behind each. This loss, could potentially mean an actual loss of roughly 2,400,000 hours of technical R&D, drawing, QA, and possibly, post-integration upgrades that have been lost.

So what’s the value to this business?

This business (that VP) probably wants to know that they're losing intellectual property, at risk, or will find themselves in the headlights.  And more importantly,  how can they take care of it, quickly, efficiently, while still doing business, not losing face, not be investigated, and continue to keep a high goodwill (reputational) value with their current and future customers.  The business gets paid on sales and margins. Infosec takes away from margins. So, how does the corporate CISO handle this issue?

Every business wants three things:

• What’s going to hurt them?
• What do they do about it (as inexpensively as possible)?
• What can you, the CISO show them that will prove their investment in your team helped reduce their costs to produce their goods or services, or made money for them?

In my own case, we started an “APT” shop years ago. We got about a million dollars from the corporate CISO, and another $3 mil from one of the other businesses. They developed tech that a lot of people wanted... and and when the check came, they became our highest value customer. The budget didn't need to grow much to keep us going, but the value resulting from the relationship built on that "highest value customer" premise ended up funding my former team (started in 2006) for almost 10 years... it's still going, and stronger than ever.

We've been getting this question a lot lately.

How does an information security shop get funded in light of advanced attackers, who hunt and kill so skillfully and so quietly?  My formula is actually quite simple. If you're a CISO, and you need to find funding, go read Dr. John Kotter's 8 Steps to Leading Change. It's a simple model, based largely on common sense and intuition, but written down to allow you to actually follow a process (I need process!) It basically says this.. find the first thing you can do. Be successful, and use the momentum to build more champions, find more opportunities, and continue to act. It's the same process in dealing your business unit customers.. find the first thing. Hit it out of the park. Use the momentum to find number two. Don't strike out.

1800 man years of labor.. gone.

110 million Lifelock accounts.

BT BT

Thursday night we hosted about 25 ISSA members in the New Hampshire Chapter. It was a great night. Thank you all for coming! Interesting to me is that we (Red Sky) has members all over the world, but only two in all of New England, and one of them is in New Hampshire, so it was really great to be able to show off a little bit to the local infosec teams.

We're in the throes of analysis. We've probably had a dozen calls on the Target breach, and although we did publish a report for the Red Sky members, we don't post anything externally, and we don't comment to non-members. We're keeping our fingers in it, and have come to our own conclusions on the subject. We're updating our reporting to the members as we speak. I guess first to press wins.. and first to out an attacker gets some sort of prize. We're not worried so much about that. We'll take another day or two, and get a detailed report posted to the membership.  BZ to iSight for getting this out.. Nice job!

Ok folks. That's it for now.

Until next time, have a great week!

Jeff

Red Sky Weekly (1-11-14): 'IR'nomics 101 (Incident Response Economics 101)

I met with a venture capital company yesterday. We hadn't really thought about meeting with funding sources until this week when one of our incoming members asked if we'd like of have a conversation. Why not? You just never know where new members or referrals, or possible research/analysis for the lab might come from.

I prepared five slides. On the first slide, we described the problem that we solve. The extemporaneous version goes something like this:

Companies everywhere are having their computers broken into.

They lose credit cards, business information, privacy data and intellectual property… all at very high costs in terms of money, reputation, and business operations. In fact, in 2012 we ran what my former boss would call a 'gin and tonic' survey. I asked the question of several dozen CISOs "what did the last targeted or APT attack cost you to clean up?" The smallest number was $1.9 million. The highest was $10 million. Ponema Institute last year reported an average of $1.4 million.

The VC didn't believe the numbers. He couldn't understand how response might cost so much. I don't think he thought I was making it up, but he just had no idea why. 

So let's try this.. for the money guys, business guys, or for you CISOs out there that have to communicate this to your CIO or C-suite, I'm caling this post 'IR'nomics 101.

First let's level-set the field. You need to understand a few variables. In every case, dozens of variables go into even the most basic detection and response. Here are just a few:

• Heterogeneity - Every environment, even the small ones, are going to be heterogeneous. Chances are you'll have mobile, cloud, connections to sales staff, possibly manufacturing systems, BYOD.. and if you've acquired another company to allow growth, you've acquired their heterogeneity as well, leaving you with a heterogeneous system of interconnected heterogeneous systems. And worse, you don't acquire companies for their impeccable network hygiene, you buy them to make money. And when they stop, you divest. 
• Complexities in layers (of heterogeneous defense in depth): So now that you understand the heterogeneity in your environment, consider the infosec posture that you've either built, haven't built, or inherited through acquisition. If you've not been through the forklift security upgrade following your first oh sh*t moment, I'm betting your security posture wasn't built purposefully, it was built on the fly to accommodate growth... if at all.
• Autonomy of businesses: The terms 'division', 'sector', or 'business unit'. All mean the same thing.. autonomous units of business operations. And do you know where the Presidents or VPs of these business operations report? Not to the CISO! They get graded on revenues and margins, not on their impeccable network hygiene. And you know what? There's a good chance your security team (if you have one) doesn't have eyes on all of these autonomous businesses. In fact, I can guarantee it. 
• Geolocation and connectivity: Even with a system in a building down the road, geolocation adds cost. Administration, monitoring, security and response all require travel, or, having local help desks, administration, and likely at least one local security person. 

Without considering maturity of the team, skill levels, situational awareness, and many others, you understand a small sample of the variables associated with 'IR'nomics lesson...

Let's use 1000 computers for our example. I've operated in the 100,000+ computer space, but those numbers are staggering and my VC friend will absolutely not believe those numbers.. so let's keep it smaller for now.

In our example, the CIO (there may not be a CISO yet) gets a call from the FBI (our call came from NCIS), telling us that there's a problem. So you download a host based tool to check your systems --CarbonBlack, the Maddrix tools, Mandiant (FireEye?), or one of the others. And on your first run, what do you find? You're gonna want a drink. Your stomach will hurt and you, as the CISO will fear for your job. You're going to have at least 10% (this is being REALLY conservative) of your computers being reported compromised.  

So let's assume 100 computers are now being reported compromised. What next? Here's the typical work flow:

1. Locate the machine: Typically the security team will want a copy of one of the machines, so they'll run it down. This almost always takes time. The scanners don't necessarily give you the location of the computer, but you'll probably look in a global directory of some sort, or possibly call HR. However this happens, it's probably going to take a few hours to locate the first offending device.  
2. Pull it off line: This isn't as simple as walking into an office and unplugging a machine. In larger companies you may have to call a help desk or a desktop team, to make sure that first employee is taken offline. Maybe this is another couple of hours required by either your own, or another department. Regardless, it costs money. 
3. Bring it back to the office to tear it apart and figure out what's going on: Here's where the fun starts. Unless you're planning on burning down the machine and rebuilding (as many do), you're probably going to want to know what caused the scanner to flag. Is this real? False positive? How bad is it? How do we keep it from happening again? The first machine gets a day or so of attention. In my last job, the average seemed to be about three days of intrusion analysis in total. This number will drop with experience, but three work days is probably about right.
4. Moving forward: Now that you know what cause the problem, you've got to come up with a strategy to fix it. In most cases, this will absolutely be a team sport. You still have 99 other machines that you've not looked at, in various parts of the company. 100 machines offline is going to really hurt. Maybe you take a weekend for the clean up. You'll have your entire IT and Infosec teams on board. You'll probably burn and reload all 100. You'll generate rules for your IPS, add a tool or two to your network; maybe reconfigure some security controls. Depending on the response, this can get really expensive --especially when companies don't bring in consultants who've been through this before --and usually they don't. 

Bottom line.. one of our members (who tends to measure everything) says that his average cost to clean up a desktop is about $10,000. The average server cleanup cost is about $40,000. So even in this very simple example, using even basic numbers, the cleanup of this 100 computers, assuming a mix of desktop and servers, $1 million in response time is quickly realized. Now add in strategy, communications, network changes, responses added to intrusion prevention systems, HIPS, antivirus, etc... and we've not even considered losses, fines, or financial remediation for losses of privacy information, credit card data, intellectual property or long term competitiveness. $1.4 million (per Ponema) is an easy number to swallow.

Now consider this. Even the most sophisticated companies will face at least one of these breaches per month. Most say they have at least one every week. And if you've not been through it before, you're more likely to deal with as many as three to five every day. 

The sky is not falling.

Every company goes through a maturation process. It's probably better described as a growth spurt. (baptism by fire?). All companies start out as consumers of intelligence. Their security team will go to the Internet and start digging for places to get help. Or maybe (the smart companies) will hire a consultant who'll tell them where to get data (usually indicators of compromise). You'll consume as many IOCs as you can get. You won't care about the story behind them. You'll implement them without thinking. And after a while, you'll start producing your own. You'll want to know who's doing it to you. You'll start digging for more information, people to talk to, and you'll share war stories over beers. You'll build an informal network of co-miserates. Comiseration will quickly turn to sharing intelligence and tips. And you'll get better at detection and response. And soon, these events will be your new normal. Those targeted events will become routine. You just do it. 

The idea behind threat intelligence sources is that you can significantly reduce the cycle times discussed above by comparing notes with others. Some folks don't mind doing it on open forums, Google groups, etc. These are usually free sources of good raw, tactical information, and the conversations can often times tip you off to the latest trending attacks. Others, maybe those with regulatory concerns, concerns for intellectual property or just those who don't want to show their cards on the Internet want to get their intelligence in more private locations. Bankers don't like to talk openly to other bankers about a cyber breach if they think there's a government regulator in the room. Healthcare, Energy, Defense, and many others have similar concerns. So they come into Red Sky. They ask questions, compare notes, and share information. And in those conversations, help each other diagnose happenings on their networks. 

The rest of my elevator pitch?

...And there’s a seemingly endless supply of places you can buy or download ‘cyber indicators’ – pieces information that can help you know if you’ve been broken into or protect yourself from future break-ins. But how do you know which of those you should use? Which ones are any good? Which ones are used to protect your type of business? to use to protect yourself from the ones most likely to strike today? Tomorrow? …or the ones most likely to do the most damage to your business?

That requires context. Context comes from intelligence and analysis.

Red Sky and Wapack Labs offer that contextual information that can help the security team decide what to protect against today, then tomorrow, then next week.

Until next time.. 

Have a great weekend!
Jeff