Red Sky Weekly: Happy Memorial Day!

http://www.daviswilliamsfamilytree.com/?page_id=974

I wrote a blog this morning, but after reading it and re-reading it, I just didn't like it. So I thought I'd keep it simple. 

Thank you to all who've served. I am a vet. Many of my friends are vets. Most of the Red Sky Alliance and Wapack Labs team are either vets or currently serving as reservists. Enjoy the long weekend and please, in between activities marking the official beginning of summer, take a moment to remember those who are serving, have served, those who've stopped at Walter Reed on their way home, and those who've paid the ultimate price. At the same time, don't forget the families. They've supported us on deployment, and probably much harder, when we returned. 

Happy Memorial Day!

From the teams at Red Sky Alliance and Wapack Labs

Red Sky Weekly: Uptick in Dark Comet RAT?

Indicator aging is a a topic that comes up often in conversations with folks who're interested in knowing how we handle old indicators. And in most cases, I have stories of VPN drivers, and newcomers pinning on their first oh sh*t badge who get hit first with the old stuff. This week, we had a great example of why old indicators must be kept up to date with a story of an old RAT being used in a slightly different way... Dark Comet, labeled by Symantec as "backdoor. breut" had been credited by CNN for its use by the Syrian regime against those who opposed them.

This week, Dark Comet RAT appeared on our radar. And although available for years, Dark Comet remains popular among hackers. Recent activity observed by our lab indicates an uptick in the use of this tool and it’s not showing any signs of slowing down... and sporting a new twist --Mobile Command and Control (C2).

Geolocation of DarkComet RAT Mobile C2 nodes

In a new edition, analysts at Wapack Labs observed the use of what we are calling "Mobile C2s". A couple recent variants leveraged No-IP domains that showed historical resolutions to dozens of IPs. Upon closer inspection it was revealed that the majority of them were mobile service providers hosts. This would suggest that the attackers are running the C2 controller on a laptop with mobile broadband and a No-IP client. During our research we also discovered a number of DynDNS clients for mobile apps however to our knowledge there are no Dark Comet controllers compatible with mobile devices. Either way, this may be signaling a new trend.

While it may represent a convenient option for the attacker to have a mobile C2, it does offer some interesting data points for tracking. Using historical resolutions for one C2 we identified 26 separate mobile provider hosts with resolutions starting from late February to present. The majority of the hosts were geo-located within a two-mile radius in London, however on 11 April we see a hit for Stevenage, which is an hour north of the primary cluster.

Despite the relative anonymity of using Mobile infrastructure for C2 it does clearly allow for higher confidence tracking of actor movements and activity. Wapack Labs is keeping a close eye on these networks and the continued use of this TTP.

BT BT

For me (written by Rick), the thing I learned this week is I learn something every week, not matter how challenging the week may have been, even if I felt like I've not accomplished much, if I'm not learning something, I'm static. 

The point I'm making is really simple, we're always busy doing the multitude of tasks we have to fit into an ...ahem...eight hour day but if you're not keeping your eyes on what's coming around the corner, you may walk smack dab into someone and break your nose.  We talk about the "wolves closest to sled", which is appropriate when your spend is limited you're often just worried about today, the hear-and-now, but what about the wolves that lurk in the darkness, the ones that are just beyond your vision waiting for their opportunity?

"White Fang" author, Jack London, once said, "The proper function of man is to live, not to exist."  The function of security in any organization should be not to get through the latest crisis, fending off the wolves on your sled, but also be on the hunt for the wolves you've yet to discover that are hunting you.  How do you do that?  Intelligence.

BT BT

I'm keeping this one short. I completed a whirlwind trip to St. Louis and San Antonio about two in the morning, so I'd asked the team to author the blog before I got back. So until next week, I've got a wet hayfield to mow when the rain finally stops.

Need intelligence? Drop us a note.

So until next time,
Have a great week!
Jeff

Red Sky Weekly: Energetic Bear, Cyber-burkut

We turn our attention this week to cyber activities originating from Russia.

Energetic Bear:

In September 2013, both CrowdStrike and Cisco published findings of watering-hole attacks believed targeting the energy sector.  Crowdstrike named this actor set "Energetic Bear". According to CrowdStrike, "ENERGETIC BEAR is an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims with a primary focus on the energy sector."

While apparently focused on the energy sector, other victimized industry sectors were also called out in the CrowdStrike report.

• European government;

• European, U.S., and Asian academia

• European, U.S., and Middle Eastern manufacturing and construction industries

• European defense contractors

• European energy providers

• U.S. healthcare providers

• European IT providers

• European precision machinery tool manufacturers; and

• Research institutes.

This week Wapack Labs released Fusion Report 14-014 on Energetic Bear. State sponsorship of this group is unknown, so the activity is being classified as "APT-like" tactics techniques and procedures (TTPs). Wapack Labs identified and analyzed dozens of new and legacy first-stage (meaning, tools used in the first compromise) and second stage backdoors associated with this activity as well as a portion of compromised infrastructure. As part of our report, we were able to identify new tools and targets, and provide tailored mitigations for the new Energetic Bear TTPs.

The energy sector is known to be widely targeted. Not just in the US, but around the world. And the ability to steal intellectual property from others means less money spent on research and development of new, more efficient means of generating or distributing energy, less money spent on finding new places to drill for oil, and potentially in more harsh scenarios, the ability to divert, disrupt, or destroy the movement of energy. Every business plan, every project plan, and every piece of analysis that's used to derive how investments will be made exist in investment firms. Companies needing money tell investment firm researchers everything --and oil and gas companies are no different. The movement toward targeting investment firms associated with oil and gas should come as no surprise, but the use of new tools targeting them, is indeed believed new.

Cyber-burkut:

Cyber-burkut is not new. It's been reported many times in the past. But in this case, Wapack Labs analysts believe the cyber-burkut may be a low level information operation campaign targeting the citizens of the Ukraine. And why not? Cyber is the perfect vehicle to affect the opinions of a LOT of people, and such a simple, grass roots effort can be not only effective, but inexpensive.  

Staging for a new round of distributed denial of service (DDOS) activities appears to be taking place. "Cyber-berkut" is a hactivist movement much like others. Protesters are being urged to download an application to their computers. The application then makes their computer part of the network used to launch denial of service attacks against government and corporate websites. The website associated with the activity leverages patriotism in Russia by asking everyday people to take part in a cyber war toward the Ukraine. For several reasons, Wapack Labs also believes (medium confidence) this activity to be state sponsored. "Burkut" for reference is the name for a special police unit inside the Ukraine. The name has now been adopted by pro-Russian police forces in Crimea.

BT BT

This is a slightly different format than you're used to from me, but I thought it would be good to report 'meat' for a while instead of Stutzman ranting about information sharing, the need for intelligence, and what's happening in the world.

And as mentioned before, Wapack Labs is the analytic engine behind Red Sky Alliance. Crowdsourcing, coupled with a dedicated team of folks in the lab are there so when you ask a question, and someone else doesn't already know the answer (which is rare), we have a group of folks dedicated to doing the analysis and answering the questions. In doing so, we've become really good at it.. and now offer these intelligence and analysis services as an service. We're not incident responders. We refer those who need services to partners who provide them --Red Sky Alliance members, whom we believe to be trusted, and are peer reviewed in the portal.

Need intel and analysis? Call us. Want it in a collaborative portal? We have that. Just want a subscription? We can do that too. Tell us what you need. We'll write it, and deliver it in just about any form you need it. We're heading toward STIX as we speak, cleaning up internal tagging before converting it all over, but even now, our MD5s are converted to STIX and we're looking at hosting solutions for new push/pull mechanisms. Stay tuned. We've got big things happening!

Want to know more about Wapack Labs? Drop us a note, or add your name to our list. We'll keep you up to date!

Until next time,

Have a great week!

Jeff

Red Sky Weekly: Pirpi RAT

Last week (April 26th), FireEye reported a new Internet Explorer (IE) zero-day exploit used in targeted attacks. A "zero-day" is a new exploit or vulnerability that has never been seen in the wild before; normally referring to the first discovery.

According to Kaspersky bloggers, during the week of the 20th, attackers sent well crafted emails (well crafted means they often times look very normal, like they might come from your boss or a customer) to specific, high value targets. These targets generally have trust relationships with someone or something that has information related to targeting objectives assigned to the group performing the attacks. In this case, the idea was to deliver a newer version of an old remote access trojan (RAT) named the Pirpi RAT. Once installed, the Pirpi RAT can be used to take full control of a user's browser, and in turn, their system, and larger network (where attackers may remove or destroy information as desired).

The vulnerability identified by FireEye affects Internet Explorer versions 6 through 11, but according to FireEye, the attacks appear to be targeting versions 9 through 11. And to make matters worse, the zero-day bypasses two Windows security measures -Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).[i] (Address Space Layout Randomization (ASLR) randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the memory location of a given process. Data Execution Prevention (DEP) is a Windows feature that enables the system to mark one or more pages of memory as non-executable, disallowing their ability to run. Microsoft announced Security Advisory 2963983 the same day.[ii] 

This week's Cyber Threat Analysis and Intelligence (CTA&I) report provided analysis, situational awareness, mitigation strategies, for two variants of Pirpi malware, as well as possible attribution for its use. Wapack Labs analyzed, and published to our members, analysis of two primary strains of the Pirpi malware with some interesting findings:

• The first versions of Pirpi appeared in 2008. 
• Several domains were observed as remote control channels (command and control, or C2) used with the first variants. These domains appear to currently be sink-holed, but a Domain Tools “Whois History” report revealed the original registrants. Domains don't always make the best indicators when chasing compromise (because they change often), but the meta data associated with them rarely does. What's meta data? Names, phone numbers, addresses, etc., associated with the person or organization that registered the domains. These make great indicators in identifying new bad actors or actions, and Wapack Labs has a great internally built tool to help us identify patterns in the registrant meta data. We call it "WhoisRecon". In this case, there is a lot of history --and those who don't learn from it, may be doomed to repeat it. Four early domains used by Purpi for C2 were identified.
• A well known Advanced Persistent Threat (APT) group, is believed responsible for leveraging this recent exploit. The group today leverages several back doors including older versions of Pirpi.[iii] 
• One email address, the original registrant of three of these four early domains is believed linked to over 140 others. The email address was reported in an Infosec forum operated by a Chinese information security company in September 2009. The email's connection with the attacks is unknown, but certainly enough information is available to suggest malintent. 

BT BT 

This was a simplified snippet of deeper analysis that we provide to our members and customers on a weekly basis. This week was busy and I thought this might be interesting. The reports, when possible, provide not only the analysis of the activity but also snort rules -for your intrusion prevention systems, yara rules for are used to check files for badness (a great overview can be found here), and indicators are currently presented in Lockheed's Kill Chain format. 

Red Sky Alliance and Wapack Labs are one of the few places where users can come in, get up to speed, and get no-kidding analysis and protection strategies for advanced threats... and everyone has them. Last week I wrapped my victim notifications with a call to a four person company. While we don't do incident response, we do offer victim notifications and referrals to trusted partners. In this case, we had a local partner with deep experience in exactly the same industry as the victim. 

As an added note, I had the opportunity to participate in the US Cyber Crime Conference this week. While no longer associated with DoD, the conference was excellent. A much smaller crowd turned out.. I think about 600 or so, but it was heavily commercial participation, with ten educational tracks, and as usual, Jim Christy and the folks at Tech Forums did a hell of a job. 

Ok, going for a run before it rains.

Until next time,
Have a great week!
Jeff

[i] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

[ii] https://technet.microsoft.com/en-US/library/security/2963983

[iii] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

Red Sky Weekly - Gh0st RAT

"Ghost Rat (or Gh0st RAT) is a Trojan horse "Remote Access Tool" used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program." While I don't normally quote WikiPedia, their description of Gh0st RAT is actually pretty simple, but pretty good:

The GhostNet system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. According to the Infowar Monitor (IWM), "GhostNet" infection causes computers to download a Trojan -"Gh0st Rat" that allows attackers to gain complete, real-time control of the victim computer. The computer can be controlled or inspected by its hackers, and even has the ability to turn on the camera and audio-recording functions of an infected computer that has such capabilities, enabling monitors to see and hear what goes on in a room.

In fact, Gh0st RAT is rarely used alone. It is indeed a remote access and administration tool, but in most cases, the RAT is used to carry out other activities in the victim computer or network. 

This week we published our next Fusion Report, FR14-013 dealt with another variant of Gh0st RAT...  We're not the first to report on Gh0st, nor do I suspect we'll be the last. What we do believe however, was the use of Gh0st this time can be attributed to a group known to be dangerous, very active, and targeting very specific types of technologies. 

In Mid-April 2014, a Red Sky member received two phishing emails originating from the same sender.

• One email contained a link to an executable file. That executable, upon analysis, was identified as a variant of the Gh0st RAT malware. 
• The second email contained a download link to malware that was identified as a Microsoft Outlook credential stealer.

Remember when I said Gh0st is often times used in conjunction with other tools? In this case, the attackers were looking for credentials, probably hoping the credentials captured from Outlook would also give them access to the network's front door --the users access credentials. At that point, without good behavioral analysis techniques, detection becomes really hard, really fast.

One of the things we talk about often is the idea of being able to assist a security team with fast classification of activities hitting the sensors and the security management consoles. This, with the vast amount of data coming at a typical defender, is also really (REALLY) hard. How exactly does a security team quickly assess the difference between 'commodity', 'systemic' and 'targeted' events? For dictionary purposes.. 

• Commodity issues are those that a simple tweak in existing defenses will take care of.. a new virus, a misconfiguration, etc. 
• Systemic issues are those that might take down your company -or worse, an industry. Interconnected systems with few controls, central services to large scale operations --with built in credentials or trusts could be considered systemic. Help desk systems where every help desk technician has credentials to every computer; hard coded accounts in databases that connect to each other. These issues are usually a bit harder to identify, but once identified, controls can be placed to manage risk and threat. 
• Targeted issues are a little different. Where the first two require largely mechanical mitigation processes, targeted attacks require users step into the role of "security chess". The game is on, and it's not going to stop. Attackers are skilled. In fact, one guy posted to a group the warning that targeted attackers (that hit his environment) mean business. They want something, and they bring the A-team. You need to be ready.

In this case, this group's use of Gh0st was clearly targeted. How can we assess that?

• The Gh0st RAT variant that we analyzed, had few known open source variants
• It leverages dynamic C2 domains previously identified in discussions within the Red Sky portal.  
• The initial phish 'bait' was clearly used to social engineering of the intended victims of the high tech company that tipped off the community.
• The products manufactured by this company are known coveted technologies by others in the world (believed associated with the attackers)
• Last, this group rarely operates without either financial gain or espionage motivations (probably both)

In the end, our reporting analyzed and detailed the infrastructure associated with the RAT, malware details and to wrap it up, we provided the Red Sky members with mitigation information - a snort rule, a Yara rule, full directory-structure artifacts that users can search for, and a couple of pages on indicators in LM's kill chain format. 

BT BT

In the lab, we began sink-holing operations on a couple of new locations. Within the first day, we collected information suggesting at least four companies had been compromised. The group? The same group associated with Gh0st RAT mentioned above. In two of the victims identified, the RATs used to steal information from these networks appear to have been placed as early as 2009. Three of the four identified were actively sending and receiving information when we identified them. Industries? One company manufactures airplanes and aerospace technologies. Another is a small engineering firm that manufactures propulsion technologies for rockets and spacecraft. The third, an energy company in Asia. The fourth? Apparently we stumbled onto someone else's research network. Sorry guys! ;)

So, we issued three victim notifications. One company never responded, but I was amazed to see how fast the others did. In both cases, we gave them information they hadn't previously known. In both CISOs reacted nearly immediately. These guys were on the ball, and grateful for the heads up. 

The information sharing construct works. Red Sky Alliance isn't the only group out there, and it looks like at least some companies are getting the message. In fact, a Ponema Study on Information Sharing (released last week) polled 701 companies. 71% of them believed (at least according to the survey) that participating in threat intelligence forums (like Red Sky Alliance) improves the security posture of their organizations.

It's apparent, and not a secret, that there have to be better ways to share information. Automated means, faster turn-around, simplified exchange protocols and taxonomies, trust (and anti-trust), and competitive concerns all seemingly get in the way, but for those who love this stuff, they REALLY love it. The rest? Well, I'm reminded of my first junior high school dance where the boys stood on one side of the gym and the girls on the other. Only the boldest dared actually dance. At some point in the future, we'll all be on the floor, but don't wait to long. A small company with high value tech doesn't stand a chance on their own. 

Drop us a note. You may not want to participate in the Red Sky Portal, but it'll be there if you need it. When you (or your lawyers) finally get up the courage to actually participate and dance, there'll be others in the portal waiting to help, and if you don't have the ability to implement the 'help' yourself, we're happy to make recommendations.

Until next time,
Have a great week!
Jeff

Red Sky Weekly: What's happening in Wapack Labs?

Heartbleed? Yeah, we're watching too. We try hard to identify and talk about things others don't. There's a ton of messaging on Heartbleed, and I don't want to just repeat what others have already said, so this week I'm going to talk a bit about Wapack Labs. 

As a bit of a primer, Wapack Labs is an independent company located in Manchester, NH. We recognized early that as facilitators of information sharing in the Red Sky portal, our abilities as incident responders, forensic guys, auditors, or whatever background we came from, would quickly rust if we didn't find ways to participate in a material way, and keep those skills sharply honed. So we started Wapack Labs as a forensic shop hoping to use it to support the membership. We created it as a separate company because it didn't fit nicely into the information sharing construct, and manned it with a couple of new folks, in a new lease in Manchester, with its own ecosystem and infrastructure. We realized quickly however that we weren't going to make a living on forensics, so rather than blow off the remainder of the lease, let the people go, and sell all of the gear, we decided to focus the lab on our core competency --intelligence and analysis. We still have a forensic capability, and we have a great guy manning that con, but the core competency of the lab is managing and operating an intelligence cycle and publishing results to various customers --Red Sky Alliance, the FS-ISAC, and dozens of companies. Today, nearly all analysis that goes into Red Sky Alliance from our participation comes from primary sourced data, collected to answer specific questions, using great process... in Wapack Labs.

And while the portal remains busy, the analytics coming out of the lab have just been amazing lately, so I thought I'd share some of it, getting back to our roots of summarizing weekly happenings in our analytics, and not just Jeff sharing stories, ideology and lessons.

At the macro cyber-geopolitical perspective, we've got a couple of folks dedicated to tracking significant happenings in the world today:

• Ukraine and Russia: There's a serious lack of press on this topic, but we know theres no shortage of cyber activity. The cyber conflict currently lies between the two countries, but we monitor for escalation, spill-over that might affect our members/customers, and for lessons learned about future protections against government sponsored cyber activities targeting individuals or companies. Guys in the lab are keeping a close eye on developments. One of our analysts is a native Russian speaker and we use him to translate and provide running commentary. This week, the team, based on his work, drafted a timely and relevant profile on a suspected Intelligence group operating within Ukraine, including their use of cyber tactics. The report offers details and analysis that have yet to be captured in Western Media. We believe that we will see more activity from these guys as Russia escalates its operations in Eastern Ukraine... and we will continue to monitor and report to our Red Sky Alliance members and Wapack Labs customers.
• Country studies: The guys are working working through our second country study. The idea is to assist organizations in planning their security, based on their geographic diversity, customer base, technical resources, network environment, and infrastructure conditions. Our first study was Iceland. It's a great little spot in the north Atlantic with a TON of power, great bandwidth, and dirt cheap datacenter space. We wrapped that up about two months ago. Our second will be announced in May, but as with Iceland, this is a research project that considers the factors that affect cyber, decision making, threats and risks -from a number of sources- intelligence, geographic, political, and cyber. 

At the micro level, we continue to be busy. Work keeps coming.

• New botnet: This week we pushed out a "part one of two" technical report. Part one provides details on several new IRC botnet seen targeting the financial sector. Part two will be published next week, offering an inspection and details of the related infrastructure. 
• Targeting Korean Banking: Our second report this week detailed a family of popular Chinese malware that was re-purposed for targeting Korean banks and the banking infrastructure. Fortunately, the mitigations that we developed and published, not only protect against this variant, but all variants of the parent malware family. 

BT BT

If you're detecting a slightly different tone in my messaging this week, it's because there is in fact a slightly different tone in my messaging. I've been making the rounds, talking with Red Sky members, asking them what they like, don't like, and how we might do better. 

The overwhelming answer is this "We love what you do! We but we don't always like having to get it from a portal!" So on that, even only about a third of the way through the interviews, it appears that the deep techies who use the portal regularly, love the portal. But that leaves about 58% of our user base need who need alternative delivery mechanisms. So ask, and you will receive!  

Our messaging has shifted a bit from "Come be part of our information sharing environment!" to "We (Wapack Labs) author intelligence and analysis.. and we can deliver it how you need it." Want to share information, compare notes? We have that! The Red Sky Alliance portal isn't going anywhere, and assuming qualification and Advisor approval, subscribers to services through Wapack Labs will receive access to one of the portals. Only want access to an automated system to query indicators, we have that too. Subscription service? The lab can tailor your subscription to just about any requirements, and output just about any format you want --STIX/TAXII, Snort signatures, SIM packages.. whatever. 

We author great intelligence and analysis.. and we'll deliver it in any format you need. 

I promised to keep it short. 
Until next time, have a great weekend!
Jeff

Red Sky Weekly: What will the cyber of my grandchildren look like?

We started a project last summer, where we track the growth of government sponsored

offensive operations around the world. It's a work in progress. When we started, our first cut at our "GEOPOL Matrix" reported six countries with officially sponsored offensive cyber organizations. Our last cut? 22.
22 countries at the beginning of February sport the triad of Surveillance, Defense and Offensive cyber capabilities.  So, I suggest... If the growth chart of cyber as a means of influence were a hockey stick, I'd say we're starting to hit the curve. Cyber complexity is going to grow exponentially, and with it a proportional number of places it can be exploited. 

In 1999, I spoke on cyber espionage at a SANS conference. I'll never forget it. In one of the reviews someone said I was selling FUD (fear, uncertainty, and doubt). Another called my presentation snake oil. How did I know that cyber would become the principle location for future intelligence operations? Because I was, at the time, farming open source data on a daily basis looking for clues to subjects I'd been tasked with researching... nothing covert. Everything was in the open, but even back then I was amazed at the huge amount of data that companies and countries were putting on the internet --and what a massive advantage that gave me. The seeds were being planted in that garden -with such amazing dark soil, plenty of water, and the patch that EVERYBODY planted their best stuff. Now, 15 years later, cyber is probably the most exploited patch of dark land, that the corn is waist high and looking good. 

Also now 15 years later, on nearly a daily basis, someone looses a million credit cards, and intellectual property is lost. And to the credit cards? Who cares, right? The banks make it right. And the intellectual property? Well, this stuff doesn't make it into the news as often as millions of credit cards lost, and when it does, you'd think we'd be shocked, but frankly, it's the new normal. And Heartbleed? It's bad.. really bad.. but who cares. It's just another thing. 

So what about 15 years from now? Beyond the idea of data loss and beyond the espionage.. both will always be there --they have been forever, in and out of cyber space. 15 years from now, many governments (and companies) will have their own cyber programs --warfare, attack, surveillance and defense. Think about it. In every case, when a country prepares for conflict, there's a timeline that's followed. And even today, kinetic options include dropping bombs on communications nodes, power generation, and other targets critical to operations. So is a power plant an arm of the military? What about the telecom provider that runs the cell or satellite services? Of course not. But those stockholder owned private companies ARE military targets during conflict. And do you think the stockholders aren't going to demand that the companies fight back? My bet is they will. Disintermediation is real. Militaries can and do attack civilian targets. And I don't think it's going to be just militaries.. In the future, cyber is going to make is so very easy, that others will jump into the fight.. civilian on civilian, military on civilian, and civilian on military. Heck, we see it today. There are plenty of example so government sponsored cyber, and on the non-government side? The SEA, Anonymous, and others form behind causes taking patriotic and hactivism to the realm of cyber action.

If cyber could be used to effect change in behavior of an adversary (change in behavior is always the goal), and it could be accomplished without using kinetic options (dropping bombs, shooting at people, etc.), and the risk of human loss is minimized on both the attacker and defender side --if one could take power, food, water, transportation, command and control/communications, or whatever someone chooses to take down, simply by hacking a computer and turning it off --even if only for an hour or two... would it work? You bet.  

It's going to become really easy to do. How many times have you been asked to answer a 'security question'.."What is your mothers maiden name?" "What was your first car?" "What is your favorite movie?" Add to that, your car, the airplane you fly, the train you take to work, heck, your refrigerator and toaster all have things the communicate with the internet. The amount of intelligence that is stored by companies asking these questions, intelligence that can be collected, based only on personal questions, added to the devices and data in your everyday life, geo location services of GPS turned on in nearly every device, and the ability to target very specific people or things to effect change? Wow. The bits of information out there --even today, that will enable massive opportunities for cyber exploitation --and very personalized cyber exploitation. 

And now it appears countries are turning off their Internet gateways when the Internet is threatened. The risk of an espionage attack, or DDoS, or the likelihood of loss of integrity has overshadowed open communications across borders, and the ability to hear directly from journalists, citizens, the persecuted and the attackers during crisis is being slowly turned off. Isn't this where we came from? Let's not go back. 

What will the cyber of my grandchildren look like? 

I don't have an answer. 

BT BT

In the last few weeks I've been making the rounds, talking with Red Sky members face-to-face. We've grown a lot in the last two years, and in many cases, in areas we never thought we would. I'm looking for feedback from our customers as we head into normalization phase of moving from a bootstrapped, cash-flow company to small enterprise. We didn't take venture money when we started this two years ago. We built this ourselves with the idea that we could work with our membership and shape the offering to them.. and I believe we have. 

We're reshaping our message, and looking at how we currently deliver analysis. Some love the portal. In fact, many log in first thing in the morning and stay on all day. Others check it once a month or so. Some get a digest. Our bottom line? Wapack Labs looks for things to provide our members. We're looking for ways to innovate. And for our members who love the Red Sky portal, we'll continue to push information into it, participate in conversations, and rub antennas with the techies. For those members who need information delivered in other ways, and in other forms? We want to know that too. 

So I'm looking forward to seeing you all as I make the rounds. And I'm hoping to see many of you at our Threat Day in Tampa in June. 

For non members.. we're going to host an offsite following the Threat Day. Come meet the team! Have a cocktail on us. I'll post the time and place as we get closer.

Ok. It's a sunny day, and I've got work to get done.
Until next time,
Have a great weekend!
Jeff

Red Sky Weekly - Can YOUR box serve whoopie pies?

My history, and cynicism are good indications that I'm long in the tooth in the space, although I've never been able to grow that grey beard. You can apply the codger moniker with high confidence based on the analytic rigor of multiple primary sourced blog entries by me over the years. Yes, I look at cyber in a very specific way and I've been around long enough to consider myself seasoned and experienced.

I had beers and cigars last night at the Cancun Cantina with three old friends. One of the guys was a Marine E6 when we met. I was a new LTjg. He's preparing to retire as a Warrant Officer now. Another was the head of Incident Response when we worked together, now, Chief Technology Officer. The last is the CISO for a local defense contractor.

Our talk sounded like sea stories. In the late 90s my Marine friend and I (and others) earned our stripes analyzing Moonlight Maze, Solar Sunrise, the downing of the EP3 in Hainan Island and just about any cyber event (they weren't called cyber at the time), or events with cyber consequences. Our team authored first models for behavioral analysis, spending countless hours with Suresh Konda coding thousands of compiled computer intrusions, to be used in the early days of SiLK models.

I was reintroduced to this world in 2006 as Titan Rain was wrapping down, and another set of intrusions (perhaps just renamed?) was ramping up --known by a name I believe to be still classified, I'll refer you to a link. Before any new attribution names were assigned to the new activities, my incident response buddy and I sat on opposite sides of the table. Me, the intel guy wanted to leave systems up to learn the lessons. His job was to get them back online. We joked about lots of beer, midnight Guitar Hero in our Mass based lab, and many, many near fistfights with wide open screaming mouths, and a LOT of spit flying over the table as we discussed ways forward.

The last, the CISO, has been doing this from the start, but we only met a couple of years ago. He's seen it all, developed all of his own tools, and takes pride in changing log-in credentials to offensive messages because he knows the attackers will read them.

It was a fun night. Working 166 of the 168 hours available during the week at the time burns you out fast, but looking back on it now, it doesn't seem so bad. The shared experience of having been on the cutting edge of this new era of cyber, while not good for computers, was a real learning experience for us. All three of us --and many others, had real impact on the way these events are handled today, and the lessons that will be passed to those who've not yet experienced their oh sh*t moment... that moment when you realize someone is in your network; you've never seen it before, and you have absolutely no idea what to do about it.

For us, I wish we knew then what we know now. In uniform, who we asked for help was easy. Unfortunately we were the experts! Roughly 10 years ago we joined FIRST, and looked for active places to share lessons learned and ask for help, but FIRST members hadn't been seeing the kinds of activities we were working, so out of sheer exhaustion, three companies signed NDAs and started sharing APT information. I believe they're up to about 60 or so now.. I've not kept up.

Today, there's no end to the number of places that'll sell you Indicators of Compromise (IOCs). You can read about much of the happenings in open source Google groups, an endless supply of links on LinkedIn. There is no easy button, but there are seemingly hundreds of vendors that'll sell you a box with a red light that lights up when spies or thieves are being gangster-slapped at the border router automatically by your new magic box, or a green light when that sexy magic box is humming along, bored, because it's not killing connections.

So yes, the codger moniker? The idea that I look at everything in this space with one eye closed, squinting with the other isn't just because my bifocals require their now annual update. It's because when I hear a vendor tell a customer that their magic 8 ball answers 'yes you can' to the question 'can I buy a box that'll kill every bad connection, allow every good' at at the same time fill all of the compliance needs, supply metrics required by management, and when asked, prepare and deliver a perfect whoopie pie in a little glass door that serves as both the ingestion spot for gobbling all of those IOCs and when needed, the dispensing door for that really awesome chocolatey creamy taste of heaven... I laugh... out loud.

Yup. I've been doing this a while. I need some intellectual tennis with people new to the space, so Monday morning before heading out of Manchester, I spoke to a class at the University of New Hampshire. The class had kids from all areas - computer information systems/science, liberal arts, business, and included a couple of veterans. I offered a talk, as I often do, on the state of cyber --What is APT? How is it that companies lose credit cards? ..a basic threat brief. I wasn't peppered with questions, but the ones I did get were good:

• Are we winning the cyberwar? If not, why not?
• What are my thoughts on Edward Snowden?
• How do we get involved? What is the path to follow to get into information security?

Great questions all. I did my best to explain the complexity in current networks. Cloud, mobile, virtualization. Insourcing, outsourcing. They got the point. Complexity kills, and in this case complex cyber leads to holes.

I won't go into the others, but then I turned my question cannon on them...

"Should we be able to fire back?" I asked?

Without hesitation, a young (sophomore?), who looked like she should still be in High School, answered "YES!" Why? I asked.

"It's fun!" When someone hacks me, it's fun to hack them back!

I can't wait until she's ready for an internship! 

BT BT

I'm running around the country this week doing face-to-faces with Red Sky members. It's two years in, and seems like a good time to get some honest feedback. As far as I can tell.. I've heard many times.. companies love our analysis products, and those who like to work in the portal --typically the deep tech folks, are always in the Red Sky portal, talking, working, sharing. We have power users. Others are less enthusiastic about logging into yet another portal. So as I meet with customers, I'm looking for good feedback on what they like, and what we could do better! 

If you're interested in having a look at what Red Sky Alliance does, or some of the tailored intelligence and analysis coming from Wapack Labs, drop me a note. We're pushing before summer sets in, and happy to set up a time!

So until next time,

Have a great weekend!
Jeff