Our Red Sky Alliance analyst team uses Cisco Meraki and RedXray-Plus for our VIP client protection. For numerous reasons, prospective clients often confuse the RedXray threat intelligence feed with an Intrusion Detection System (IDS; alerting/monitoring) or Intrusion Prevention System (IPS; blocking/preventing).
The Meraki device is different from RedXray service in several ways. The Meraki is limited because it uses generic Sourcefire Snort rules and does not allow for the creation/use of custom snort rules. Meraki does not provide context or insight beyond the individual PCAP (packet capture) for each individual event. There is no contextual information along with the single alert, such as a PCAP before and after the event.
RedXray identifies potential threats including breach data, keyloggers, and sinkhole traffic, coming from their organization’s network dating years back. Breach data can be, and likely will be, used in credential re-use attacks to gain an initial foothold into an organization. RedXray monitors these credentials beyond traditional services such as “haveibeenpwned” by using our proprietary sources.
Analysis has shown cyber threat analysts that if an organization is observed with a keylogger or checking into a sinkhole, they are already infected. This indicates the attacker has not yet attempted to move laterally within the network or is in the process of creating long-term access for future attacks (or to sell to other bad actors). A simple explanation for this is Meraki will tell you where you have been hit with well-known exploits. RedXray provides preventative external threat information which can be used to prevent attacks in the first place.
Consider the following scenario: A bad actor goes and queries a company’s domain, searching for emails and passwords in their collection of breach data. After finding credentials the hacker logs into an account and begins sending malicious documents to other members of the organizations, or to vendors and clients. Meraki might trigger an alert, but only after the other members of the organization have been infected and start beaconing (if they use a free TLD like .biz, .tk, .ml, .gq, etc.).
RedXray daily monitors the same underground breach sources and could have provided a notification email to reset the breached credentials, preventing an intrusion in the first place. The same scenario could be applied to a device infected with a keylogger, or devices communicating with a known sinkhole server. RedXray is primarily focused on cyber intelligence to take preemptive action before malicious activity occurs, while IDS/IPS devices such as Meraki are more effective after the delivery/installation phases.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org