Red Sky Weekly: What's happening in Wapack Labs?

Heartbleed? Yeah, we're watching too. We try hard to identify and talk about things others don't. There's a ton of messaging on Heartbleed, and I don't want to just repeat what others have already said, so this week I'm going to talk a bit about Wapack Labs. 

As a bit of a primer, Wapack Labs is an independent company located in Manchester, NH. We recognized early that as facilitators of information sharing in the Red Sky portal, our abilities as incident responders, forensic guys, auditors, or whatever background we came from, would quickly rust if we didn't find ways to participate in a material way, and keep those skills sharply honed. So we started Wapack Labs as a forensic shop hoping to use it to support the membership. We created it as a separate company because it didn't fit nicely into the information sharing construct, and manned it with a couple of new folks, in a new lease in Manchester, with its own ecosystem and infrastructure. We realized quickly however that we weren't going to make a living on forensics, so rather than blow off the remainder of the lease, let the people go, and sell all of the gear, we decided to focus the lab on our core competency --intelligence and analysis. We still have a forensic capability, and we have a great guy manning that con, but the core competency of the lab is managing and operating an intelligence cycle and publishing results to various customers --Red Sky Alliance, the FS-ISAC, and dozens of companies. Today, nearly all analysis that goes into Red Sky Alliance from our participation comes from primary sourced data, collected to answer specific questions, using great process... in Wapack Labs.

And while the portal remains busy, the analytics coming out of the lab have just been amazing lately, so I thought I'd share some of it, getting back to our roots of summarizing weekly happenings in our analytics, and not just Jeff sharing stories, ideology and lessons.

At the macro cyber-geopolitical perspective, we've got a couple of folks dedicated to tracking significant happenings in the world today:

• Ukraine and Russia: There's a serious lack of press on this topic, but we know theres no shortage of cyber activity. The cyber conflict currently lies between the two countries, but we monitor for escalation, spill-over that might affect our members/customers, and for lessons learned about future protections against government sponsored cyber activities targeting individuals or companies. Guys in the lab are keeping a close eye on developments. One of our analysts is a native Russian speaker and we use him to translate and provide running commentary. This week, the team, based on his work, drafted a timely and relevant profile on a suspected Intelligence group operating within Ukraine, including their use of cyber tactics. The report offers details and analysis that have yet to be captured in Western Media. We believe that we will see more activity from these guys as Russia escalates its operations in Eastern Ukraine... and we will continue to monitor and report to our Red Sky Alliance members and Wapack Labs customers.
• Country studies: The guys are working working through our second country study. The idea is to assist organizations in planning their security, based on their geographic diversity, customer base, technical resources, network environment, and infrastructure conditions. Our first study was Iceland. It's a great little spot in the north Atlantic with a TON of power, great bandwidth, and dirt cheap datacenter space. We wrapped that up about two months ago. Our second will be announced in May, but as with Iceland, this is a research project that considers the factors that affect cyber, decision making, threats and risks -from a number of sources- intelligence, geographic, political, and cyber. 

At the micro level, we continue to be busy. Work keeps coming.

• New botnet: This week we pushed out a "part one of two" technical report. Part one provides details on several new IRC botnet seen targeting the financial sector. Part two will be published next week, offering an inspection and details of the related infrastructure. 
• Targeting Korean Banking: Our second report this week detailed a family of popular Chinese malware that was re-purposed for targeting Korean banks and the banking infrastructure. Fortunately, the mitigations that we developed and published, not only protect against this variant, but all variants of the parent malware family. 

BT BT

If you're detecting a slightly different tone in my messaging this week, it's because there is in fact a slightly different tone in my messaging. I've been making the rounds, talking with Red Sky members, asking them what they like, don't like, and how we might do better. 

The overwhelming answer is this "We love what you do! We but we don't always like having to get it from a portal!" So on that, even only about a third of the way through the interviews, it appears that the deep techies who use the portal regularly, love the portal. But that leaves about 58% of our user base need who need alternative delivery mechanisms. So ask, and you will receive!  

Our messaging has shifted a bit from "Come be part of our information sharing environment!" to "We (Wapack Labs) author intelligence and analysis.. and we can deliver it how you need it." Want to share information, compare notes? We have that! The Red Sky Alliance portal isn't going anywhere, and assuming qualification and Advisor approval, subscribers to services through Wapack Labs will receive access to one of the portals. Only want access to an automated system to query indicators, we have that too. Subscription service? The lab can tailor your subscription to just about any requirements, and output just about any format you want --STIX/TAXII, Snort signatures, SIM packages.. whatever. 

We author great intelligence and analysis.. and we'll deliver it in any format you need. 

I promised to keep it short. 
Until next time, have a great weekend!
Jeff

Red Sky Weekly: What will the cyber of my grandchildren look like?

We started a project last summer, where we track the growth of government sponsored

offensive operations around the world. It's a work in progress. When we started, our first cut at our "GEOPOL Matrix" reported six countries with officially sponsored offensive cyber organizations. Our last cut? 22.
22 countries at the beginning of February sport the triad of Surveillance, Defense and Offensive cyber capabilities.  So, I suggest... If the growth chart of cyber as a means of influence were a hockey stick, I'd say we're starting to hit the curve. Cyber complexity is going to grow exponentially, and with it a proportional number of places it can be exploited. 

In 1999, I spoke on cyber espionage at a SANS conference. I'll never forget it. In one of the reviews someone said I was selling FUD (fear, uncertainty, and doubt). Another called my presentation snake oil. How did I know that cyber would become the principle location for future intelligence operations? Because I was, at the time, farming open source data on a daily basis looking for clues to subjects I'd been tasked with researching... nothing covert. Everything was in the open, but even back then I was amazed at the huge amount of data that companies and countries were putting on the internet --and what a massive advantage that gave me. The seeds were being planted in that garden -with such amazing dark soil, plenty of water, and the patch that EVERYBODY planted their best stuff. Now, 15 years later, cyber is probably the most exploited patch of dark land, that the corn is waist high and looking good. 

Also now 15 years later, on nearly a daily basis, someone looses a million credit cards, and intellectual property is lost. And to the credit cards? Who cares, right? The banks make it right. And the intellectual property? Well, this stuff doesn't make it into the news as often as millions of credit cards lost, and when it does, you'd think we'd be shocked, but frankly, it's the new normal. And Heartbleed? It's bad.. really bad.. but who cares. It's just another thing. 

So what about 15 years from now? Beyond the idea of data loss and beyond the espionage.. both will always be there --they have been forever, in and out of cyber space. 15 years from now, many governments (and companies) will have their own cyber programs --warfare, attack, surveillance and defense. Think about it. In every case, when a country prepares for conflict, there's a timeline that's followed. And even today, kinetic options include dropping bombs on communications nodes, power generation, and other targets critical to operations. So is a power plant an arm of the military? What about the telecom provider that runs the cell or satellite services? Of course not. But those stockholder owned private companies ARE military targets during conflict. And do you think the stockholders aren't going to demand that the companies fight back? My bet is they will. Disintermediation is real. Militaries can and do attack civilian targets. And I don't think it's going to be just militaries.. In the future, cyber is going to make is so very easy, that others will jump into the fight.. civilian on civilian, military on civilian, and civilian on military. Heck, we see it today. There are plenty of example so government sponsored cyber, and on the non-government side? The SEA, Anonymous, and others form behind causes taking patriotic and hactivism to the realm of cyber action.

If cyber could be used to effect change in behavior of an adversary (change in behavior is always the goal), and it could be accomplished without using kinetic options (dropping bombs, shooting at people, etc.), and the risk of human loss is minimized on both the attacker and defender side --if one could take power, food, water, transportation, command and control/communications, or whatever someone chooses to take down, simply by hacking a computer and turning it off --even if only for an hour or two... would it work? You bet.  

It's going to become really easy to do. How many times have you been asked to answer a 'security question'.."What is your mothers maiden name?" "What was your first car?" "What is your favorite movie?" Add to that, your car, the airplane you fly, the train you take to work, heck, your refrigerator and toaster all have things the communicate with the internet. The amount of intelligence that is stored by companies asking these questions, intelligence that can be collected, based only on personal questions, added to the devices and data in your everyday life, geo location services of GPS turned on in nearly every device, and the ability to target very specific people or things to effect change? Wow. The bits of information out there --even today, that will enable massive opportunities for cyber exploitation --and very personalized cyber exploitation. 

And now it appears countries are turning off their Internet gateways when the Internet is threatened. The risk of an espionage attack, or DDoS, or the likelihood of loss of integrity has overshadowed open communications across borders, and the ability to hear directly from journalists, citizens, the persecuted and the attackers during crisis is being slowly turned off. Isn't this where we came from? Let's not go back. 

What will the cyber of my grandchildren look like? 

I don't have an answer. 

BT BT

In the last few weeks I've been making the rounds, talking with Red Sky members face-to-face. We've grown a lot in the last two years, and in many cases, in areas we never thought we would. I'm looking for feedback from our customers as we head into normalization phase of moving from a bootstrapped, cash-flow company to small enterprise. We didn't take venture money when we started this two years ago. We built this ourselves with the idea that we could work with our membership and shape the offering to them.. and I believe we have. 

We're reshaping our message, and looking at how we currently deliver analysis. Some love the portal. In fact, many log in first thing in the morning and stay on all day. Others check it once a month or so. Some get a digest. Our bottom line? Wapack Labs looks for things to provide our members. We're looking for ways to innovate. And for our members who love the Red Sky portal, we'll continue to push information into it, participate in conversations, and rub antennas with the techies. For those members who need information delivered in other ways, and in other forms? We want to know that too. 

So I'm looking forward to seeing you all as I make the rounds. And I'm hoping to see many of you at our Threat Day in Tampa in June. 

For non members.. we're going to host an offsite following the Threat Day. Come meet the team! Have a cocktail on us. I'll post the time and place as we get closer.

Ok. It's a sunny day, and I've got work to get done.
Until next time,
Have a great weekend!
Jeff

Red Sky Weekly - Can YOUR box serve whoopie pies?

My history, and cynicism are good indications that I'm long in the tooth in the space, although I've never been able to grow that grey beard. You can apply the codger moniker with high confidence based on the analytic rigor of multiple primary sourced blog entries by me over the years. Yes, I look at cyber in a very specific way and I've been around long enough to consider myself seasoned and experienced.

I had beers and cigars last night at the Cancun Cantina with three old friends. One of the guys was a Marine E6 when we met. I was a new LTjg. He's preparing to retire as a Warrant Officer now. Another was the head of Incident Response when we worked together, now, Chief Technology Officer. The last is the CISO for a local defense contractor.

Our talk sounded like sea stories. In the late 90s my Marine friend and I (and others) earned our stripes analyzing Moonlight Maze, Solar Sunrise, the downing of the EP3 in Hainan Island and just about any cyber event (they weren't called cyber at the time), or events with cyber consequences. Our team authored first models for behavioral analysis, spending countless hours with Suresh Konda coding thousands of compiled computer intrusions, to be used in the early days of SiLK models.

I was reintroduced to this world in 2006 as Titan Rain was wrapping down, and another set of intrusions (perhaps just renamed?) was ramping up --known by a name I believe to be still classified, I'll refer you to a link. Before any new attribution names were assigned to the new activities, my incident response buddy and I sat on opposite sides of the table. Me, the intel guy wanted to leave systems up to learn the lessons. His job was to get them back online. We joked about lots of beer, midnight Guitar Hero in our Mass based lab, and many, many near fistfights with wide open screaming mouths, and a LOT of spit flying over the table as we discussed ways forward.

The last, the CISO, has been doing this from the start, but we only met a couple of years ago. He's seen it all, developed all of his own tools, and takes pride in changing log-in credentials to offensive messages because he knows the attackers will read them.

It was a fun night. Working 166 of the 168 hours available during the week at the time burns you out fast, but looking back on it now, it doesn't seem so bad. The shared experience of having been on the cutting edge of this new era of cyber, while not good for computers, was a real learning experience for us. All three of us --and many others, had real impact on the way these events are handled today, and the lessons that will be passed to those who've not yet experienced their oh sh*t moment... that moment when you realize someone is in your network; you've never seen it before, and you have absolutely no idea what to do about it.

For us, I wish we knew then what we know now. In uniform, who we asked for help was easy. Unfortunately we were the experts! Roughly 10 years ago we joined FIRST, and looked for active places to share lessons learned and ask for help, but FIRST members hadn't been seeing the kinds of activities we were working, so out of sheer exhaustion, three companies signed NDAs and started sharing APT information. I believe they're up to about 60 or so now.. I've not kept up.

Today, there's no end to the number of places that'll sell you Indicators of Compromise (IOCs). You can read about much of the happenings in open source Google groups, an endless supply of links on LinkedIn. There is no easy button, but there are seemingly hundreds of vendors that'll sell you a box with a red light that lights up when spies or thieves are being gangster-slapped at the border router automatically by your new magic box, or a green light when that sexy magic box is humming along, bored, because it's not killing connections.

So yes, the codger moniker? The idea that I look at everything in this space with one eye closed, squinting with the other isn't just because my bifocals require their now annual update. It's because when I hear a vendor tell a customer that their magic 8 ball answers 'yes you can' to the question 'can I buy a box that'll kill every bad connection, allow every good' at at the same time fill all of the compliance needs, supply metrics required by management, and when asked, prepare and deliver a perfect whoopie pie in a little glass door that serves as both the ingestion spot for gobbling all of those IOCs and when needed, the dispensing door for that really awesome chocolatey creamy taste of heaven... I laugh... out loud.

Yup. I've been doing this a while. I need some intellectual tennis with people new to the space, so Monday morning before heading out of Manchester, I spoke to a class at the University of New Hampshire. The class had kids from all areas - computer information systems/science, liberal arts, business, and included a couple of veterans. I offered a talk, as I often do, on the state of cyber --What is APT? How is it that companies lose credit cards? ..a basic threat brief. I wasn't peppered with questions, but the ones I did get were good:

• Are we winning the cyberwar? If not, why not?
• What are my thoughts on Edward Snowden?
• How do we get involved? What is the path to follow to get into information security?

Great questions all. I did my best to explain the complexity in current networks. Cloud, mobile, virtualization. Insourcing, outsourcing. They got the point. Complexity kills, and in this case complex cyber leads to holes.

I won't go into the others, but then I turned my question cannon on them...

"Should we be able to fire back?" I asked?

Without hesitation, a young (sophomore?), who looked like she should still be in High School, answered "YES!" Why? I asked.

"It's fun!" When someone hacks me, it's fun to hack them back!

I can't wait until she's ready for an internship! 

BT BT

I'm running around the country this week doing face-to-faces with Red Sky members. It's two years in, and seems like a good time to get some honest feedback. As far as I can tell.. I've heard many times.. companies love our analysis products, and those who like to work in the portal --typically the deep tech folks, are always in the Red Sky portal, talking, working, sharing. We have power users. Others are less enthusiastic about logging into yet another portal. So as I meet with customers, I'm looking for good feedback on what they like, and what we could do better! 

If you're interested in having a look at what Red Sky Alliance does, or some of the tailored intelligence and analysis coming from Wapack Labs, drop me a note. We're pushing before summer sets in, and happy to set up a time!

So until next time,

Have a great weekend!
Jeff

Red Sky Weekly - "You don't know what you don't know"

We've been looking at a lot of data lately. Government, commercial, big company and small. Tests, logs, diagnostics, pre-audit, you name it. And in every case, the owners of the network are shocked. Most had no idea that so much activity is going on in their networks. Why? How could they not know? Hundreds of non-sensical domain names associated with port 53/UDP (hint - crimeware) on IP addresses used to allocate the movement of (ahem) a LOT of money, VPN over DNS in nearly every environment we look at, and worse, Windows Credential Editor - a tool that steal valid credentials from Windows web services --back to the last reboot.  

Without exaggeration, nearly every organization that we look at has hidden services like these running in their environment, and there's almost no way the owners will know unless someone like us tells them about it.

This a frequency analysis from a FireEye Blog from May through September 2012. It's one of my favorite graphics. It represents the problem perfectly. I show this graphic in the first slide of nearly every presentation I do. It showcases nicely why companies might not have any idea of the sheer volume of activity. In fact, I'd argue some of this is simply above the capabilities of many CISOs. (And by the way, NIST 800-53 was good in 2004, but it's not going to help you here...) 

Let me explain...

The red and blue lines across the bottom are detects and drops of inbound malicious links and attachments. The orange line is the outbound command and control --the remote control connection that the human at the other end of the connection uses to tell the victim computers what to do. The red and blue lines are knowns. The FireEye box was able to identify and stop these, as they were the orange --but what about the rest? The FireEye blog calls out the idea that there were obviously other things happening in the environment. Malware may have been in the environment before FireEye was loaded, or it may be that there is just so much stuff happening in the network that one box can't catch it all. Or perhaps one company doesn't have the necessary skills to identify all of the variations of activity that might occur. Maybe the company that bought this machine doesn't really know how to use it! Regardless, there's a ton 'o stuff happening in this network. 

FireEye is a great product, and the idea here isn't to take a swipe at a fellow security company. I like the company. The graphic shows clearly the problems we all face. CISOs don't know what they don't know. And the unknowns are going to kill them. It takes dozens of skillsets to identify the right information to be loaded into our sensors to make the pain stop. And even then, if you've got something they want --computing power (or hiding spots) for botnets, identity stealing malware, products, intellectual property, mergers & acquisition data (yes, law firms scare the hell out of me) or military secrets, the activity isn't going to go away... and the information that you need as the vaccination for your network probably resides elsewhere. 

That's cyber Intelligence.

So where do you get it? 

First, you need to know what you need. Cyber Intelligence is comprised of two basic elements:

• Indicators of  Compromise - IOCS (...although Indicators of compromise seems to late. I think I'd rather have a vaccine!). IOCs are things like domain names, IP addresses, email addresses of senders of malicious email, etc. Depending who you ask, there might be a hundred or so different kinds of IOCs.
• The context by which you prioritize your work: You need a way to know which of those millions of IOCs you implement in your network first, then after that, and what you need to think about next month (or which ones you tell your MSSP to implement on your behalf). This is really hard. The context by which you prioritize your defenses can mean the difference between a normal Monday - Friday, ten hour workday, or seven-day, 22 hour work day week with a short nap, a Mountain Dew and a bag of Cheetos before starting all over again.

Interestingly enough, over the last two years, analysts on the backend of Red Sky Alliance have sought out, identified, and now collect and analyze sources of information unique to our problem sets. In fact, the primary focus of Wapack Labs is intelligence and analysis. We use the lab to support the FS-ISAC, a bunch of companies, and the Red Sky Alliance. 

Wapack Labs sells intelligence and analysis. 

And we can deliver it in just about any format you need it. 

• Want intelligence through a collaborative? For those who know the value (it's HUGE btw), we have that in Red Sky Alliance and Beadwindow. Our members get the analysis produced by the lab, and when needed crowdsource the analytics. Sometimes they simply have more to add. It's very cool, and works like you wouldn't believe!
• Need answers to hard problems?  We do research and author point project reports. In one case, we identified an application sold by one large company to another --and 15G of exfiltrated, encrypted .rar files from what we believe was the trojan'd application. In another, we authored a country study on Iceland -for those considering using Icelandic datacenters as an offshore option.
• Looking for context for your SE/IM? We can help with that too. We're collecting information from about 500 highly targeted honeypots, adding more daily. The information we get is high confidence, nearly no latency, in many cases, 0-day. This stuff is the perfect feeder for gateway anti-virus, DLP, email filtering, and spam solutions. Yes, we can feed your Arcsight --and your brain.

Give me a shout. Let me show you. Red Sky Alliance collaboration, log diagnostics, high confidence targeted threat intelligence and analysis. We have something that can help you too. Want to know more about Wapack Labs? Drop me a note or sign up for our mailing list. 

Until next week. I'm off for a run.

Go Bruins!
Jeff

Red Sky Weekly: Threat Day Recap - March 2014

Anyone in the threat intelligence scene today knows that the best way to get information is to share information. And for that, personal contact, shaking hands, face-to-face conversation, and the ability to build relationships are required before building relationships online. And this is how we do it...

We hosted our March Threat Day this week at the Harvard Club of Boston. 

Thank you, everyone, for participating!

We started off on Wednesday evening when we met in the Commonwealth Lounge on the first floor of the Harvard Club. This was a bit different.. we combined our second annual Booz'n and Brainstorm'n session with the cocktail party that goes with the night before each Threat Day. 

With wine and bourbon flowing and chicken skewers and ribs piled high, a dozen Red Sky Alliance members mingled with about as many National Security Fellows from the Kennedy School at Harvard University. The National Security Fellows are members of various US Government agencies, such as Department of Defense, who spend a year studying at Harvard, afterward returning to their government roles – often in leadership positions. Conversations with this interesting group ranged from how to secure the nation’s electricity grid, to philosophical inquiries on the nature of identity and the future of personal identity. The evening ended with some of the guys smoking cigars in the parking lot and talking in greater detail.

The next morning, we all assembled on the third floor for a private breakfast and met our sponsors, CBTS and nCrypted Cloud. 

CBTS, also a Red Sky Alliance Associate Member, is a threat management service provider, headed up by the former CISO and incident response Director from GE Aviation –an APT Hardened group. These guys know APT, and have been building out capabilities to help others. nCrypted Cloud is a startup that provides an enterprise grade encryption service that connects to various collaboration environments -- securing information in Dropbox, Google Drive, One Drive, Box and more.

We kicked off at 9:00 with our day recorded for posting to the portal, and once we overcame small technical difficulties (gremlins!), a conference bridge. 

After a short introduction from Jeff, Chris Hall from Red Sky kicked us off with an overview of recent threat research -his analysis of MiniASP Remote Access Trojan. Chris and his team were able to dig deep into that threat after an Alliance member forwarded a clean sample for analysis. As part of his presentation, he showed how the Wapack Labs’ WhoisRecon tool was critical in his analysis.

A team of members presented next, describing some of the sophisticated attacks they encounter. One found a website where malware and malware distribution tools are marketed and sold. He shared an online exchange with an apparently Russian hacker, discussing how the hacker got started, how he performs his attacks, how he gets paid (game currencies), and his wish list for information and technology. 

Next up, Nick Hoffman from CBTS.  Nick presented a great lesson on building yara rules, and helped us all to understand best practices for making yara rules as good as they can be. YARA is a tool aimed at helping malware researchers to identify and classify malware families. Nick is funny, high-energy and playful – more playful than you’ve ever imagined anyone could be about yara rules. Fun. He amazed us with his analysis of Taidoor. He discovered the five loops that Taidoor often reuses. With YARA you can create descriptions of malware families based on textual or binary information contained on samples of those families. And nobody is more of a Yara geek than Nick!

Denis Borodin, a senior technology risk analyst, shared some of the techniques he uses to detect and analyze malware. He explained a subtle yet effective phishing campaign with a JAR attachment, and his view of Java Remote Access Tool jRAT, a particular pesky and difficult malware sample.

Rick Gamache recently lead a Wapack Labs team to author a great report aimed at describing the considerations in deploying outsourced datacenter services in Iceland. During this talk, Rick presented his analysis of Iceland’s society and critical infrastructure. He explained the pros and cons of Iceland as host to some of the largest data centers in the world, and massive bandwidth connecting all population centers of the globe. He described the datacenter, bandwidth, power and geopolitical considerations for companies considering Iceland as their offshore datacenter. And he talked about the up-and-coming cyber culture - the land of the ice and snow; from the midnight sun where the hot springs blow; and where hackathons are televised with the same energy and suspense as America’s Got Talent and televised winners are regailed as cyber security rock stars! 

Jeff Stutzman took us home with a discussion on collaborative and retained threat analysis –

what’s the current state and how is it evolving. Why Red Sky makes sense: our members have the ability buy, and do buy, any number of feeds and subscription services, but still lack the ability to talk in a trusted, private way about threats. That is what the Alliance provides. Jeff also took us on a journey through the future of the Red Sky portal and ways to make information sharing easier.

The entire day and previous evening were jam packed with relevant and intriguing problems and solutions. I look forward to the next one.

-       -Steve

Red Sky Weekly: Rising from the ashes

I just read the Business Week piece on Target. The thing that strikes me is this... most companies still don't understand (information) security. I realize that's a pretty broad statement. Let me explain.

On the physical side of security, my bet is, Target has eyes on every customer that walks through the door. Even if not watching live, every customer and every action is probably recorded. There are probably algorithms that set off alarms when predetermined events take place. My bet is also, should one of those alarms go off, some discrete investigator would hit the floor, following the suspected thief, and probably stop them. If something more serious happened --bombing, armed robbery, kidnapping --the alarms go off and so do the gloves --predetermined, preplanned, rehearsed escalations.

My point is this. Many, many companies have yet to realize that the risk models of physical security apply as well to information security. Target's organic physical security team is probably staffed on pre-determined models of various threats to big box retail. But on the information security side was apparently not; even though the probability of being accessed on any given day is nearing (if not hit) a 100% probability of successful compromise. The only question is, how bad is the breach? What were the attacker's motives? Was the hacker a kid stealing a pack of gum by the checkout counter? Or was the hacker set on stealing millions of credit card numbers, pulling off one of the largest heists in the news today on one of the most market-critical days of the year?

I haven't been to Target since before Black Friday. I buy my Fruit of the Looms elsewhere. I'm betting I'm not the only one. Why?

It's confidence.

When RSA was broken into, my (then) boss and I had many discussions on how it might play out. He thought customers would run screaming from RSA. My position was that RSA would probably have a temporary setback, but find a way to recover. Although I have no empirical evidence, my guess is, and seemingly others in my circles believe, RSA today is probably more secure today than it was three years ago. And with all other factors being equal (price, competitors, market choices, substitutes for RSA tokens, etc.), the idea is that the business that is RSA is probably stronger today than others in its class is because they've lived (and survived) their oh sh*t moment. 

Survival becomes a real competitive differentiator, and Target today has exactly this same opportunity. 

BT BT

We're hosting our next threat day this week. There's a lot going on this week, so we're expecting a smaller crowd than usual, but that's fine. We're hosting the National Security Fellows from the Kennedy School on the 18th with our threat day on Wednesday. We will, as always, run a conference bridge and record the sessions. It's going to be small, but this should be a good one. 

In Red Sky Alliance this week we posted products on the Nuclear exploit kit, a new phishing campaign and at a member request, one of our interns first fusion report: First sighted in early June 2013, H-Worm is an obfuscated VBScript employed in both mass malware and targeted attacks on the energy, government, telecommunications, and manufacturing industries. The source code is widely available on Arabic hacking forums. The report describes the attack details and provides information on the H-Worm malware family. 

In Wapack Labs, we've had some pretty amazing results with Allagash. Allagash gives us the ability query via web interface, or to load samples taken from requester networks -netflow data, various logs, registry key exports, system inventories, etc. and diagnose happenings in a network -very quickly. Our largest sample to date was nearly 4Tb and took us a little longer, but we're beefing up hardware as we speak, to be able to handle these larger diagnostic requests. Interested in Allagash? Sign on to our Constant Contact list. We'll keep you informed. Interested in a diagnostic run? Drop us a note. 

It's been a long two weeks on the road, so I'm going to keep this short. 

For those of you traveling to Boston this week, we look forward to seeing you!

Until next week,
Have a great weekend!
Jeff

Red Sky Weekly: Intellectual tennis anyone?

A couple of weeks ago we told one of the largest online payment processors in the US that they were not welcome in Red Sky Alliance. Last summer we turned away a major midwest chemical company. And when we first kicked off, our members had heartburn with a well known information security company. 

Why? In every case it came down to trust. Our members need to feel like they share a relationship; they want to talk to people that they like and trust, and most importantly, believe when they speak.

Last week I blogged about asking friends for help. As well as in person, over beers, or as former shipmates, personal relationships translate directly to the online world. And when the connections are made, magic happens. But when trust is lacking, the relationship doesn't work. So even though these companies certainly have the ability to write checks, we didn't invite them in. 

Red Sky Alliance is about being part of a small number of highly mature information security teams sharing information at a common, deep tech level. These guys all have great security teams. Information movement is high speed-low drag, and in the end, the return for their time in the environment offers the opportunity to significantly reduce their own workload --sometimes by weeks. We also have smaller companies who have really small infosec teams (like, two people) but those two person teams are also really smart, very hungry, and love exchanging observation and ideas. It's not about the size (of your security team), it's how you use it! (I know.. very junior high school... but I couldn't resist!)

The Results? The results have been amazing.

Our latest fusion report (posted last night) detailed findings from one of our own intelligence operations. Our internal analysts don't have access to incident response data from their vast internal enterprise, so we add value by using the intelligence cycle and cultivating sources that might be exploited for answers to specific questions. We don't look for volume of information, we look for quality of information. And while we've had a number of successes from these sources, I thought yesterdays was an especially cool report:

• FR14-007: Beginning in November of 2013, Wapack Labs began receiving numerous spear phishes. Analysis of the malicious emails revealed the use of a new cross site scripting tool. Dozens of separate attacks were observed originating from only three IP addresses. The majority of the emails were not captured by spam filters. 
• Proactive defenses: In another case, we were able to cross reference information from a recent publicly disclosed attack, to find that the TTPs had been demonstrated in late last year. While a new 0-day was used for weaponization, delivery, malware, and C2 detailed in our October report may have prevented the breach that was in the news three weeks ago. 
• Russia | Ukraine: We issued a PIR this week on cyber effects of the happenings between Russia and Ukraine. We've been tracking, at a very basic level, the GEOPOL temperature around the world and it's effects on cyber (think growth of state sponsored offensive capabilities matrix and context), and as a result, we were able to tap sources to identify increases, decreases, or indicators of what we believe may be happening in cyber as a result. 
• Government activity ramping up: Last, this happens on occasion... I'm getting hit up by a number of government folks -a DHS contracted FFRDC, and a number of civilian agencies. They won't be coming into Red Sky's private company membership, but the added relationships will turn into additional sources and collaboration points that we'll all benefit from. 

Our quarterly threat day is coming up on March 18th and 19th. The 18th is cocktails, and the 19th is threat day. We've got some great presentations lined up. I'm looking forward to seeing many of you there!

Last, but not least, we've received a number of Allagash inquiries. If you're interested in being an early adopter, sign up here. We've got our first accounts loaded up. We'll be running down the list soon.

OK. Until next week. I'm going to take advantage of the 60 degree day and go for a run!
Have a great weekend!
Jeff

Red Sky Weekly: SkiCon, Advanced Persistent Trout '14?

I was invited up to Sugarbush for the weekend. I'm heading out in a few minutes, meeting a small group of CISOs and Infosec friends for a weekend of skiing, a rented condo and presumably a bunch heavy hops IPA. It's going to be cold, but the skiing will be great, and after-skiing will likely be better. In June, it's going to be fly fishing for a week on a river in the Tennessee Valley with another set of Infosec friends. One of the guys reserved a house with 2000' of river frontage and a guide to show us the right fly patterns for the native trout.

Why am I talking about skiing and fishing? Because these are friends. We call each other when we need something. We've followed each others careers over the years as we each mature into more senior positions, and now, we're skiing, fly fishing, and having a few beers.

So let me ask you a question. When was the last time you asked for help from a perfect stranger? During your last bout with wekby, APT1, or the massive loss of credit cards, did you Google for help and call someone you didn't know? Or did you ask a friend who they'd recommend first... or better yet, used themselves?

These same circles of friends that that I'm skying with tomorrow and fly fishing with in Tennessee in June are the same people I've all called at one point or another; and they've called on me. We've compared notes, shared incident response hours (many, many hours), begged for budget, screamed at each other over the conference table and played Guitar Hero in the middle of the night.. blurry-eyed from a dozen hours of analyzing pcap during the early days of APT --and two of the guys I'm skiing with tomorrow are founding members of Red Sky Alliance.

You see, people don't call strangers for help. They call friends first. Then they call those who've been recommended by friends. Yellow pages can't help you with cyber, and Google only gets you so far, so when you need help --finding the sleeper in your networks, pulling forensic images from all over the globe, begging for overtime for your team, or explaining to your CIO why you made your network an island when you watched the shift from the access team to the intel team --even for only a short period of time, and I'm betting a dollar that you won't do it without knowing what others did first, and the guys you ask first are your trusted friends in positions similar to yours, in companies you can point back to as credible.

And to add to that, most people I know in this space prefer small circles of trust. Thousands of people in a low-cost high volume portals, sharing information anonymously may give you that warm feeling of satiation (due diligence?) when you're gobbling IOCs as fast as you can shove them into your intrusion prevention systems, but there's a very high probability that much of the information you've stuffed into that little red box isn't going to do you much good. So what happens when you've spent all that money, and you've made your network an island, and your IPS screams for better stuff, and your team is burning out, but your CIO hasn't got anything left for you? Who are you going to ask for help? Here's an idea. Ask first.

Small trusted circles are WAY better than big... when we first started working APT issues (in about 2006), we were three companies under strict NDAs, sharing notes. That three company circle expanded to about a dozen who really knew what they were doing, and when it came time, we all helped each other. Many today consider that small group of highly trusted companies an amazing force multiplier. Most will tell you that they could never have hired all of the talent that they needed to fight the fight without sharing expertise in the then, first of it's kind, full attribution information sharing environment.

Wait. What? Full attribution?

You bet. Attribution and peer reviews keep even honest people honest.

Red Sky Alliance today is about 35 large enterprise companies. Those 35 companies all have highly mature information security teams that know what it takes to deal with the problems we all face, but only a few know how to survive. Not one of them has their head in the sand. There's no BS. They just help each other.

So, let me ask the question again.  When the stuff hits the fan, who will you trust?

Me? I'm going to ask my friends.

If you'd like to ask my friends too, drop me a note. We'll get you set up.

BT BT

Even with most of the Infosec folks I know at RSA, it was a busy week. Heck, maybe that's why it was so busy. Bad guys know that the the infosec teams are in San Francisco!

• We don't typically perform victim notifications, but this week we were forced to notify two national CERTs of compromised accounts that were leveraged as part of an ongoing campaign from a known cyber espionage actor. Red Sky is currently receiving a number of APT spearphishes first hand though a collection of proprietary honeypots placed in very specific locations. Our members receive very fast notification of very early malware -often times, beta. In several instances we've been able to post mitigations within minutes of the honeypot capture! For those using spam defenses at the gateway, feeds from this data set can be pumped directly into your Ironport or other similar system.
• This week we released FR13-006. This fusion report detailed recent campaigns leveraging an IE vulnerability described in CVE 2014-0322. The report described malware artifacts involved and provided tailored mitigations for a widely used RAT.

We're pushing hard to get Allagash up and running, and with the exception of one last change, we're ready for our first beta testers to jump on starting Monday. We're looking good. Our goal is 20 beta users. We're about half way there. If you're interested, sign on to our constant contact list. When your name comes up, we'll drop you a note.

Last, but certainly not last, our Threat Day is coming up in just a couple of weeks! We're doing cocktails the night before, with a day of presentations the following day. These things are always great, but we're going to have some fun with the National Security Fellows from the Harvard Kennedy School on the night before. I'll be great exchanging ideas in the old mahogany Commonwealth Bar. Smart folks, the Red Sky membership, and liquid brain lubrication. How can this not be fun?!

Ok. Off for now. I've got to get my skis on the car!

Have a great weekend!
Jeff