06:45 PM

Black Hat: Developer Aims To Make Attack Recovery More Intelligent

One company uses threat information, virtualization and analysis to build a better way to disinfect compromised systems

Companies that need to support a large number of users and help them recover from an epidemic spread of malware may get some help at the Black Hat USA security conference this year.

Click here for more of Dark Reading's Black Hat articles.

ReversingLabs, known for its static malware analysis tools and services, will release the File Disinfection Framework, an open-source project funded by the Defense Advanced Research Projects Agency (DARPA), at the Las Vegas conference next month. The framework aims to make developing custom disinfection tools much easier, by giving security technicians an advanced virtual machine and common building blocks, so that large organizations and service providers can better support their clients.

"Disinfection turns out to be one of the most complicated parts of the remediation process," says Mario Vuksan, CEO of the Cambridge, Mass., company. That's even more true for polymorphic file infectors that attempt to change the way they look and behave to fool antivirus and host-based intrusion detection software.

The company hopes that technical members of corporate information security teams will use the tools to better respond to mass compromises. Because the antivirus industry and other security firms have to prioritize their workload, smaller infections -- while still plaguing individual companies -- may not garner as much support as more widespread epidemics.

The File Disinfection Framework uses both static analysis and emulation in a virtual sandbox to allow users to collecting intelligence on and observe the infection capabilities of a specific piece of malware and then manipulate the malware in order to create a strategy for disinfection.

Tools such as the FDF go hand in hand with threat intelligence, says Vuksan. While companies can collect intelligence on the threat targeting their organization, turning that intelligence into action requires the right tools, he says.

"We hope that this allows users to produce better disinfectors and do it more quickly," he says.

[Defense alone won't stop an attacker from getting inside, so some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery. See The Enterprise Strikes Back.]

While most enterprise security professionals will immediately jump to reinstalling the entire system so as to not take chances, there are many cases where disinfecting a file -- especially an important data file -- may be preferable. Internet service providers that offer support to their customers, for example, will often find that they have not made important backups of data.

"As a consumer, you are not going to want to re-image your machine just because you are infected," Vuksan says. "And for enterprises, if you have a mass file infector, what's going to happen to your IT team? They will likely all quit if they have to manually clean every system."

Dean De Beer, chief technology officer for malware analysis firm ThreatGRID, prefers the safety of re-imaging a system, but agrees that companies seeking more information on the threats in their network will benefit from the project.

"I don't think this is going to be in the hands of anyone except the very technical and the very smart, but that's where it should be," he says.

Building that technical aptitude in-house is another great way to use the toolset, says David Marcus, director of advanced research and threat intelligence for security firm McAfee, an Intel company.

"The more people you have that know how to reverse code and clean systems, the better you are arming them to be good at defense," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.