Saturday, December 08, 2012

Red Sky Weekly- Threat Day, Name and Shame, Beadwindow!

We held our third Red Sky Alliance Threat Day in San Antonio this week, and it was an absolute success! We had a decent turnout with several member companies in attendance. The day started out with a joint presentation on a well known threat group and included a "name and shame" on several of the actors themselves.

  • Analysts, working together on site were able to identify not only (high confidence) identities of many of the people believed associated with this group, but also alias email addresses, buddy lists, blog sites, forums they participate in, and screenshots of their computers with (believed) exfiltrated files on the desktop. In addition to personas, analysts were able to view what they believed were targeted information including technologies ranging from military to electric automobile technologies and financials of over a dozen companies. A formal ‘Name and Shame” fusion report resulting from the onsite “Analyze-a-Thon” will be published to our community in the near future.
  • This presentation by Red Sky analysts and one of our members was followed up with a post-exploitation analysis of another group by a second member analyst.
  • The day was wrapped up with a lessons learned discussion, on building out a network forensics capability.

On the Beadwindow Private | Public side of the house, we’ve met with two of the six major Federal Cyber Centers, delivering presentations on how they might benefit from participating in the Beadwindow portal. My hope is that we’ll see some new participants soon. I’m very much looking forward to that day. While we hear every day that members of the government have a hard time talking to private industry information security practitioners, Beadwindow offers a great way to allow this sharing, and allows corporate members the ability to protect their anonymity if they choose.

As we head into the end of the year the portal this week was business as usual.

  • Our analysts are currently crowdsourcing a new malware variant and TTP involved in a recent uptick of APT activity.
  • Two new ‘diversified industry’ participants have joined and are participating. While it may seem hard to think about how you, as a new member might benefit from participating in the Alliance, one new member immediately started posting to an area we call “Wildfire”. The new member needed help. Wildfire is reserved for out of band communications during incident response, and to request assistance from the community. “Forming, Storming, Norming and Performing” processes we go through with new members is quickly becoming routine. The group is gelling nicely and we’re finding amazing benefit in the amazing group of companies now in the Alliance.

So, if you’re thinking about jumping in, now’s the time. Government and Academic users can take advantage of lower membership rates for membership in the Beadwindow portal. Commercial users can take advantage of founding level membership pricing for only another couple of weeks. Current pricing ends on 12/31. Don’t wait.

Have a great week!
Jeff