Partner Perspectives  Connecting marketers to our tech communities.
10:35 AM
John Bambenek
John Bambenek
Partner Perspectives
Connect Directly

The Rise of Counterintelligence in Malware Investigations

The key to operationalizing cybersecurity threat intelligence rests in the critical thinking that establishes that a given indicator is, in fact, malicious.

There has been a great deal of talk about the emerging field of cybersecurity threat intelligence in recent years. CTI is the application of intelligence tactics to gain insights on adversarial actors and their tools, techniques, and procedures. However, one aspect that’s not frequently discussed is the use of counterintelligence tactics by both the defender and the adversary.

One of the chief problems in both digital forensics and CTI is that much of the data we need to analyze is under the control of the adversary, who has the means and motive to deceive. For instance, it is not atypical to see malware that has large detailed functions that are never called upon in the real world and exist only to make malware researchers waste time figuring them out.

Most dynamic malware detection solutions will search for any network connectivity that malware makes. However, what they don’t do is determine if the network connectivity is actual malicious traffic or if it is a false trail. Malware can generate a smoke screen of DNS queries and network traffic simply to hide the “real” malicious traffic in a stream of noise that makes it difficult to reverse engineer.

In fact, it’s not unusual for malware to generate traffic to mock various individuals or companies. This is not limited to network traffic; it could be strings in the binary, user-agents, WHOIS data, or anything that can be manufactured to waste the time of the researcher or to troll others.

While amusing, there are far more destructive forms of deception that can and have been employed. If organizations are not scrutinizing the processing of their data, malicious threat actors can poison it to cause outage events.

For instance, if an organization processes lists of known malicious domains -- and bear in mind that attackers also know of these malicious domains -- an attacker could have a few of those domains resolve to IP addresses of important infrastructure. As an example, if an organization simply resolves malicious domains to IPs, then the IPs feed firewalls automatically. One of the resolved IPs points to the organization’s own DNS server, which very quickly results in a significant outage event.

If WHOIS data is forged (which is easy to do), it is possible to direct legal action toward an innocent individual or entity. Even domain generation algorithms (DGAs) -- particularly ones that use wordlists -- could lead to a DGA generating an actually “good” domain name that may get caught up in an automated blocklist.

For CloudFlare hosted domains, “direct” is a default hostname that normally points directly to the actual machine that would otherwise be obfuscated by CloudFlare (e.g. This is obviously configurable, and a malicious actor could simply point that to an innocent third-party machine. If a researcher is sloppy, he or she could take action against that innocent machine and its owner.

The key to operationalizing CTI rests not simply in generating indicators of compromise; the key rests in the critical thinking that establishes the confidence that a given indicator is, in fact, malicious. Far too many organizations and researchers simply mine for indicators and use those indicators without scrutiny. Malicious actors know this, and it seems like they are starting to use that against us.


John Bambenek is a Senior Threat Researcher at Fidelis Cybersecurity. His areas of specialty include digital forensics, global cybercrime investigation, and threat intelligence. He has developed open source feeds of threat intelligence data and works with law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/22/2015 | 7:13:31 PM
The Black Hats Have the Floor
I couldn't agree more.  As a casual observer, I've been critical of CTI exactly because of what the Black Hatters are taking advantage of.  Data mining, analysis and intelligence must be aggressive and reach out beyond the confines of indicators - something often left to the human interpreter of data, but that can also be programmed, the right mind behind the code.  This means a combination of things, 1) that CTI needs to be realtime - alerting trained ethical hackers 24/7 of an incident in progress, and 2) that those ethical hackers actively engage the intruders using CTI and realtime offensive strategies to push back.  

Yes, as has been raised many times we are often found with our hands tied when it comes to offensive response to Black Hat activity, but as the other side becomes more shrewd and takes advantage of the limitations of the cyber security policies and procedures we execute within the strict letter of the law, it becomes more than evident that something needs to change, whether that is policy, law or to whom we turn to take on the Black Hats who think there is nothing preventing them from intruding in our cyberspace.  The key is, like a police officer pursuing a fleeing suspect from the scene of a crime, active pursuit using the most bleeding-edge network data analysis tools while also having a weapon on the hip, just in case.

With targets like power grids and nuclear refineries out there, I don't see how we can't step up our response. 
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.