Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Quality over quantity!

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Quality over quantity!:



I had an Intelligence Officer in the lab in Manchester a couple of weeks ago.. He told me a story. Apparently during his last rotation in-country, one of his big-data feeds didn't give him the granularity needed to accurately choose targets. So he spent most nights doing the analysis himself --deciphering the output, connecting the dots, and picking targets manually.

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: We're STIX!

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: We're STIX!: I'm happy to announce that we are now providing indicators in the STIX format. Two weeks ago we pushed our first STIX package to the...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Reflections on a great career...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Reflections on a great career...: I spent Thursday morning at the retirement ceremony for an old friend -  CWO3  Eric Slater, USMC And while it didn't hit me then, in t...

What does employee monitoring look like?

Several months ago I received a request for employee monitoring from an attorney working with the company. He'd asked about capability, so I cut a short video for him to show him what it actually looked like.

I've received the question several times.. can we do it? How do we do it? What happens? Do employees know? What kinds of things can we find out? So for a short explanation of what employee monitoring looks like, check out this minute and a half video. I've just posted it to YouTube.

I've had a bit of trouble with videos rendering, so if it doesn't start, click here.

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Cryptolocker down! Simplocker up! ...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Cryptolocker down! Simplocker up! ...: It was a great week for the good guys in the fight against cyber threats!  On Monday, the Department of Justice announced the takedown of t...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Did Russia attempt to sway the Ukr...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Did Russia attempt to sway the Ukr...: Wapack Labs, under a project named "8-ball" maintains watch over cyber activities between Russia and the Ukra...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Happy Memorial Day!

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Happy Memorial Day!: http://www.daviswilliamsfamilytree.com/?page_id=974 I wrote a blog this morning, but after reading it and re-reading it, I just didn&#3...

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Uptick in Dark Comet RAT?

Henrybasset's 'Red Sky Alliance' Blog: Red Sky Weekly: Uptick in Dark Comet RAT?: Indicator aging is a a topic that comes up often in conversations with folks who're interested in knowing how we handle old indicators....

Forensic expert in New England? Drop by and have a beer with us!

Wapack Labs has been in Manchester for just over a year. And to get to know the local forensic community, we're hosting happy hour next week for local forensics folks.

Drop by. Let us introduce you to the lab, and have a beer with us!

Date:  Tuesday May 13, 2014
Time: 5-7 PM
Place: 250 Commercial Street
          Manchester, NH

Please RSVP to scollette@wapacklabs.com

Hope to see you here!
Jeff

CBTS chooses Wapack Labs and Red Sky Alliance for Cyber Threat Intelligence and Analysis

CBTS's Advanced Cyber Security Team joins Red Sky Alliance

 

MANCHESTER, N.H., Dec. 12, 2013 /PRNewswire/ -- Red Sky® Alliance Corporation (Red Sky® Alliance) www.redskyalliance.org , the leading global information security collaborative cyber intelligence
and analysis firm, announced today that CBTS's Advanced Cyber Security team has joined the
membership, and will be partnering with Red Sky's Wapack Labs to supply targeted security intelligence a
nd analysis to CBTS and its customers. 

"As the security industry shifts to address targeted attacks, the CBTS Advanced Cyber Security team
is leading the way by delivering innovative products and services that enable customers to implement
intelligent analysis and adaptive defense based security programs that help businesses prevent,
detect and mitigate loss resulting from cyber assaults.   Our Red Sky Alliance membership coupled
with Wapack Labs' Threat Analysis and Intelligence services will ensure our customers have the
most up-to-date and accurate information," said Brian Minick, VP, CBTS.

"Wapack Labs has made great strides in identifying threat intelligence sources not readily available
to other companies, and has been analyzing the resulting data for almost two years. We opened
Wapack Labs in April, 2013 to help companies who might not be prepared, or legally allowed to
participate in the Red Sky Alliance collaborative. CBTS is a great partner who can deliver defensive
strategies built around Wapack Lab's intelligence and recommendations. We're very much l
ooking forward to working with them," said Jeff Stutzman, CEO Wapack Labs.

About Wapack Labs

Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and
Intelligence organization supporting Red Sky Alliance and others. The Lab offers expert level
targeted intelligence analysis answering some of the hardest questions in Cyber. The Lab
developed and hosts the Red Sky Alliance automated threat intelligence and analysis
databases (TIAD) and WhoisRecon. It has performed research, analysis and forensic for
dozens of global companies in hundreds of international locations. More information on
Wapack Labs can be found at www.wapacklabs.com.

About CBTS

The CBTS is a wholly owned subsidiary of Cincinnati Bell (NYSE: CBB). The company
combines the data networking capabilities of Cincinnati Bell with next-generation managed
services that provide companies with flexible solutions for end-to-end IT deployment.
The CBTS business model can help organizations increase productivity and operational 
efficiency while reducing costs and risks through solutions that focus on business continuance, 
compliance, security, and technology infrastructure. For more information, visit www.cbts.net

Media Contact:
Jim McKee, CFO
Wapack Labs Corp.
jmckee@wapacklabs.com
314-422-8185

FS-ISAC Leverages Wapack Labs to Help Protect Financial Services Members

Nice press release.. we've been wanting to figure out how to work with the FS-ISAC for quite some time, after supporting them during my days with DoD. This is a great group, and we're very much looking forward to the next year!

Jeff

PRESS RELEASE

Financial Services Member Organizations Will Benefit from Latest Cyber Threat Analysis and Intelligence Services from Top Provider of Targeted Intelligence Analysis

MANCHESTER, N.H., Dec. 10, 2013 /PRNewswire/ -- Wapack Labs Corporation announced today that it has finalized an agreement with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to provide cyber threat analysis and intelligence services to the FS-ISAC membership in 2014.  Members of the organization include over 4,400 Banks, Credit Unions, Exchanges and Clearing Houses, Securities Firms, Asset Managers, Insurance Companies, Industry Utilities and Associations and Payment Processors.

"For over 14 years we have provided the latest cyber security intelligence to our members and this agreement with Wapack Labs enables us to enhance our offerings to our membership," says William Nelson, president and CEO, FS-ISAC. "We work with a limited set of high value partners that share our mission to protect our industry from the latest threats. We look forward to delivering to our members targeted intelligence analysis that can become part of each member's comprehensive risk reduction strategy."

Wapack Labs began operations on April 01, 2013, and performs tailored threat intelligence and analysis services for Red Sky Alliance Corporation www.redskyalliance.org, the leading global information security collaborative.  Red Sky Alliance serves global companies from cross-industries.  Wapack Labs current clients include one of the G-8 nations' National Level Computer Emergency Response Team. 

"Moving forward as a key threat analysis and intelligence resource for the FS-ISAC allows us to assist the global community of financial institutions, and provides a broader range of cyber situational awareness for our both those members and our clients," stated Jeff Stutzman, CEO at Wapack Labs.

Typically, the threat analyses provided by Wapack Labs assists users to protect themselves against future advanced persistent threats, insider risk, cyber-based fraud, and theft of banking and finance information.

About Wapack Labs

Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting Red Sky Alliance and others. The Lab offers expert level targeted intelligence analysis answering some of the hardest questions in Cyber. The Lab developed and hosts the Red Sky Alliance automated threat intelligence and analysis databases (TIAD) and WhoisRecon. It has performed research, analysis and forensic for dozens of global companies in hundreds of international locations. More information on Wapack Labs can be found at www.wapacklabs.com.

About FS-ISAC

The Financial Services Information Sharing and Analysis Center, formed in 1999, is a member-owned non-profit and private financial sector initiative. It was designed and developed by its member institutions. Its primary function is to share timely, relevant and actionable physical and cyber security threat and incident information to enhance the ability of the financial services sector to prepare for, respond to, and mitigate the risk associated with these threats. Constantly gathering reliable and timely information between its members, and from financial services providers, commercial security firms, government agencies, law enforcement and other trusted resources, the FS-ISAC is uniquely positioned to quickly disseminate physical and cyber threat alerts and other critical information. This information includes analysis and recommended solutions from leading industry experts. Please visit our website (www.fsisac.com) for additional information.

Media Contact:

Jim McKee, CFO
Wapack Labs Corp.
jmckee@wapacklabs.com
314-422-8185

SOURCE Wapack Labs Corporation

http://www.prnewswire.com/news-releases/fs-isac-leverages-wapack-labs-to-help-protect-financial-services-members-235252701.html

RELATED LINKS
http://www.redskyalliance.org
http://www.fsisac.com

What is Wapack Labs? What is its relationship with Red Sky Alliance?

First, before I begin, I'd like to take a moment and announce the passing of one of our guys. Chris Wierda, one of the newer guys in the lab, passed away last weekend of a massive heart attack. He was 43, a heck of a nice guy, an Army Infantry vet. He'll be missed.

BT BT

I just sent a note to one of the sources we use in identifying information that might be of help to our members. If you've ever sourced folks, you'll know that even at 6:30 in the morning when you might otherwise be having your first coffee, you might still find yourselves quelling the "the sky is falling" messaging when every source feels their gouge is more important than anything else in the world today.

Why sources? Because cyber comes in all shapes and sizes.  This blog is a bit different. We've done some amazing work in the lab and I rarely tell anyone about it, so I thought I might today.

As a bit of clarification, Red Sky is about information sharing of good cyber intelligence and network defense. When our guys post information to Red Sky members, it comes from smart guys, but also from things that smart guys have developed in Wapack Labs. The idea in the lab is to both perform second and third level dedicated for those who need it, but also, we use it to find new sources of unusual, high value information, collect that information, and turn that information into actionable intelligence to support members of the Alliance. But in doing so, we almost always come across a ton of other really interesting information that we then distill down to answer other questions.  We have the ability to do computer forensics, analysis, break down PCAP, and all of the other things needed to be able to help defenders protect their networks --and we do. We work these issues and post findings for members in the Red Sky and Beadwindow portals. But at the same time, when going through these processes, data identified gives us a really great perspective on other problems.

And on that, it should be noted... Information isn't intelligence. Intelligence comes from being able to identify the nuggets in information that might be helpful in aiding decision makers on courses of future actions. This is what Wapack Labs does. Red Sky is where we put that intelligence. Wapack Labs is where we develop and analyze it.

What kind of intelligence are we talking about?  Cyber defense obviously, but also insider threats, competitive intelligence, M&A, and self examination as starters.  With enough smart guys (we're keeping it small), we could easily go into dozens of others, but these are really fun so we'll focus here for now!

So beyond the cyber that we push to the portal, here are a couple of examples of non-cyber focused work that we end up obtaining as part of the process:

• Insider Threats: Last week we had the ability tell a global consumer electronics company that they have an insider threat problem. We had done research supporting cyber defense. This work that lead us to conversations (open source of course) of a specific group. One of the guys does security consulting work in a number of companies, and we had a conversation with one of them last week. This work has lead us to start an insider thread in the portal. 

• Mergers, acquisition, or outsourcing: Would you buy or use a company without doing due diligence?  Since earlier this spring, we've answered questions from companies about possible merger and acquisition targets, and this week we're being contracted for the third time to answer questions about a bunch of companies who're being looked at for large scale IT outsourcing by a non-member. The questions usually go something like "We're thinking about using tell us what you know about them."

• Infrastructure: While not necessarily intelligence focused, the Lab has received a number of requests where companies want to know about themselves! Our last paper went something like this... "We've been through a number of acquisitions and divestitures. What do you guys know about our infrastructure?" We're not into mapping networks, but the answer might be more along the lines of "We found that you still have web servers and a DMZ residing ." -or- "we found a dozen or so of your addresses registered as VPNs with a (ahem) third party." (This isn't a good thing.)  Interestingly enough, there's a TON of open source, free information out there that can be used to find out about a company's infrastructure and if you know how, you don't need to even touch the network to find it and answer questions like this.

So if you've wondered what Wapack Labs does, but were maybe to shy to ask, this is what it does... cyber defense, R&D, analysis, and anything else we find fun, interesting (and of course, revenue generating!). 

BT BT

I'm keeping it short today. It's been a heck of a week! 

So until next week. 

Have a great weekend.

Jeff

The Collision of Privacy and the Digital Age

With so much to gripe about with the HITECH Act, I bet many people missed a real devil in its details.  Under the old HIPAA rules, a breach was considered an event that was defined as a disclosure that put an individual’s PHI at “significant” risk – gotta love  the specifics!  To make things a little clear, the HITECH Act alters the definition to a “presumption” that a breach of PHI has occurred if that PHI is improperly handled or disclosed.  This can be abated if the healthcare entity can prove that there was a “low risk” that the PHI was compromised.  Glad HHS cleared this up!

Technology in the healthcare sector is advancing rapidly.  Cloud, mobile, and other technologies are reducing costs, giving patients more options, and assisting healthcare providers in quickly identifying ailments.  As a security professional, I can attest that these technologies are not “low risk”.  The Act of simply transmitting data between vendors or simply being connected to the Internet is inherently risky. 

Large healthcare providers who have been dealing with HIPAA for years have a head start on HITECH compliance.  Mature security plans that safeguard data, IT teams, and dedicated security professionals are commonplace.  Because of this maturity, the larger organizations can leverage these new technologies and reduce healthcare costs putting them at a competitive advantage over the smaller service providers.  So what about the smaller providers?

All said the smaller healthcare providers have some unique advantages over their much larger counterparts.  For example, smaller service providers are less likely to have the volumes of patient data to manage, less network connections to protect, and a more intimate relationship with patients to help define the technologies that most benefit the patient and the provider.  Knowing the risk appetites for both the patient and the service provider are going to be crucial in how healthcare functions - a new dimension of the doctor-patient relationship.

To say the HITECH Act puts the business of smaller healthcare providers at risk may be an understatement.   The challenge will be leveraging new technologies yet keeping risks low enough to stay off HHS’s website for non-compliance – for sure a daunting challenge for the smaller service providers.  There will no doubt be a delicate balance between reducing costs and providing good service.  More importantly, as a new generation of connected patients comes of age, market forces will dictate that PHI be mobile and easily received.  Here are a few things to consider:

1)      Assess your current exposure.  Before you implement any new technologies, what new risks are you assuming by rolling out new technologies?  Map those new risks to your current risk mitigation plan and if you don’t have a plan, implement one!

2)      Transfer risk to your partners.  HITECH obligates a legal chain of accountability from one service provider to another.  Make sure you clearly understand the responsibilities of your partners, providers, and subcontractors if there is a breach.  Don’t get caught on this!

3)      Education.  Real security happens at the human level.  Educate your staff as well as patients to the implications of improperly using, transmitting, or handling PHI.  Humans are the weakest link in any security strategy but it is far better to have educated humans than those that “didn’t know” taking home a thumb drive with PHI on it was really bad!

With some forethought and planning, the future for small service providers is equally as bright as the large ones.  Wapack Labs knows the risks associated with technology and how those risks can be mitigated. We offer full security solutions for the small to medium service providers including HIPAA gap analysis, security architecture, digital forensics, and advance threat protection.   If you have any questions or comments, email me directly – rgamache@wapacklabs.com.

Rick Gamache is Partner and Managing Director of Wapack Labs.  Rick is a CISSP with over 25 years in the security sector and has served as an expert security auditor to the private and public sectors.

The Pocket Sized Attack

Back in July Reuters reported on warnings by a UN team regarding mobile device vulnerabilities.

Last week, I got an email notice from the Facebook gods that once again their policies were changing, among them some updates to language concerning what data you're sharing with mobile devices.

4 days prior to that, I saw this article in the New York Times about malicious software being installed by clicking on a video link.

And immediately prior to that, Red Sky and Wapack Labs came out with a Priority Incident Report in which it was stated:
"Kaspersky recently reported that five million Android devices have been infected with malware, through Google Cloud Messaging, which allows hackers to send update messages directly to applications installed on a device.[i] The malware is designed to steal the victims information including the phone’s contact list and is the most diffused agent in over 97 countries."

As I mentioned previously, one of the most common vectors that bad people use to get into the intellectual property of companies large and small is through you and your contacts.

Being able to hijack a contact list allows hackers to gain a treasure trove of information that otherwise would take multiple phishing attacks over long periods of time. Names, addresses, phone numbers, company info...all of which can be used in very specific social engineering.

I'm delivering a presentation in a few weeks to a group of concerned parents that are exactly the same as every other parent. They are concerned about their children and want to do everything they can to protect them. What makes this group intriguing is that they have extremely high net worth.

Does this make them any different than you and me? Not in the least.

Hackers will use any vector they can to get the information that they need. High net worth individuals tend to be in CXO type positions or have significant influence in their companies. If their children are not using safe online practices, it could expose the parent to attacks both physical and cyber.

These days, most parents will have their children listed as contacts and vice-versa (at least one would *think*). To the hacker, it's all about who is in your contact list and how that information can be exploited. They have no problem compromising a child's mobile device to gain access to home networks of powerful people.

For some reason, the folks that I speak to tend to believe that cyber attacks will only occur on their laptop or home computer or company network. They forget that the device that they hold in their hand is a 4 ounce key to their entire life, sometimes much more powerful and valuable than anything you may have on your daily PC.

Just because you can fit it in your pocket doesn't mean it is any less susceptible to compromise.

Stay vigilant, stay up to date with your security patches, and for goodness sake, don't click that sketchy Facebook video link on your phone.

Airports and APTs

I'm sitting here at Logan Airport waiting for a flight. Like a lot of folks, I am a people watcher. As the crowds float by, I am fascinated by human interactions. What I tend to notice more often than not is the complete and utter lack of personal security most adults display.

Humans by nature are very trusting individuals, and this is the crux of the problem, especially to those of us in the world of security.

Society dictates that we be polite to one another, and it is a common belief that in general people are not out to do us harm.

This statement, although primarily true, has a weakness: there are always people willing to do us harm. The Media makes a living off of reporting it.

As folks stand in line, I am often amazed by the amount of information that they give out: where they are going, who they are meeting, if they are alone, where they are from, what they do for a living, and on and on. This information, in the hands of a malicious person can be an entry point into your personal and professional data. If we are willing to give up our personal security to complete strangers at an airport, how can it be expected that we make a paradigm shift as a culture towards cyber security? How do we make people more vigilant in their ever increasing dependence on current technology?

Hold that thought.

So as I sit here in the terminal, I'm also reflecting on the notion of short term vs long term "pain". The website Hackmageddon lists current cyber security threats and there is always some interesting analysis to be found. For example, 57% of the cyber crime perpetrated last month is general financial theft, fraud, and the like. Only 4% of crimes in the previous month are the Advanced Persistent Threats: highly targeted industrial espionage attacks. This is where intellectual property of high profile companies is stolen, resulting is significant and negative financial impacts.

What kinds of intellectual property? How about the plans for your next phone or your next network-connected television or the control systems of your car? 

If you're more concerned about the 57% than the 4%, then we have some work to do. The short term cyber crime (credit card theft, etc) is painful for the individual. There is no doubt about that. However, losing the intellectual property that is driving this country's future innovation is hurting all of us at once and will lead to longer term national impacts.

So how does this all tie together?

Typically, hackers will use exploits in general human interactions and security practices to gain access to the networks that drive our companies.

Maintaining proper security practices is vital to keeping us all safe. If you're new to security and are reading this blog, you are well ahead of most individuals. One of the best ways to learn more is to actively engage with other people passionate about the same topics. That's what we do every day at Wapack Labs in the Beadwindow™ portal. Get in touch with us and join the conversations.