Vulnerabilities / Threats
10:30 AM
Paul Shomo
Paul Shomo
Connect Directly
E-Mail vvv

How Technologies Incubated A Decade Ago Shape The World Today

The security industry is doing a better job of sharing threat intelligence than ever before, but we're also sharing with the enemy.

The quantity and delicate nature of the records stolen from the Office of Personnel Management (OPM), for me, make it the most meaningful breach of 2015. This story hit close to home for a couple of reasons. Having the benefit of inside sources, I was quoted by the media days after the attack, stating that the Chinese-made PlugX RAT (remote access terminal malware) was involved. Upon researching the history of this Trojan, I was shocked to see its author’s career timeline exactly paralleled mine.

As a software R&D guy, I know that an idea on a whiteboard can take years before the code is not only written, but the product adopted, and used enough to appear in the news. So I react differently to news stories such as those about the OPM hack. While others consider the present and future implications, I often ponder the technology’s incubation period stretching back years prior.

Trend Micro first discovered the PlugX RAT in 2008 and attributed it to Chinese syndicates. Coincidentally, this was also the Year of the Rat in the Chinese zodiac. The Year of the Rat is not all about PlugX; the first advanced persistent threats (APTs) were also being enhanced during this period. The work performed by these noteworthy malware authors was presumably fueled by an increase in Chinese state funding.

Having some feel for the lifecycle of software, I presume PlugX’s authors were developing this malicious code in 2007. Coincidentally, I mirrored my black hat doppelganger that year. I had just been recruited into Guidance Software to work on the industry’s first incident response (IR) product. Today, analysts project the IR market to grow to $14 billion by 2017, but nine years ago, the product we originally named Automated Incident Response (AIR) attracted wisecracks.

Given that they prefer to labor in anonymity, our black hat counterparts surely avoid these challenges. Relieved of the burden of educating risk-averse decision makers, or of battling for inclusion in customer budgets, my agile counterparts simply handed PlugX to sophisticated bad actors who branded cyberspace with their accomplishment.

As my years in R&D have marched on, I’ve spent much time contemplating the natural advantages held by my dark side counterparts. While the detection and response industry broadcasts its every innovation from the mountain tops, black hats work under the cover of darkness. The security industry is probably doing a better job of sharing threat intelligence, but we’re also sharing with the enemy.

An increase in industry spending has brought many talented software developers into the employ of detection and response security vendors. That said, one only needs to peer into a malware production outfit like the recently breached Hacking Team to see that the other side employs the same type of software developers that we do.

Black hats have countered signature-based detection the way I would expect. They’ve developed toolkits like PlugX or DarkComet that spit out zero-day variants in minutes. Whether you’re talking about bypassing simple antivirus detection by producing a new file-hash variants, or bypassing sophisticated indicator of compromise (IOC) detection by switching approaches to process injection, these toolkits can vary an attack with the push of the button.

Mikko Hypponen, in a famous 2012 MIT Technology Review article on the advanced malware Flame, got it right when he declared, “The Antivirus Era Is Over.” Symantec Senior VP Brian Dye might well have sighed when he echoed the same sentiment last May.

There will always be a resource-constrained portion of the industry that simply dissuades low-level attackers with signatures and perimeter defenses. But those with profiles high enough to entice truly sophisticated or state-sponsored actors know full well there is an active battlefield inside their networks. These cybersecurity professionals have resigned themselves to the reality of good old-fashioned hand-to-hand combat.

Big data analytics and machine learning are no magic pills, but will help narrow down false positives and better detect anomalies. To really turn the tide, we need products that are flexible platforms that support communities of researchers. Instead of leveraging the community only for fresh signatures, vendor app stores should allow new detection approaches to be delivered directly to customers as quickly as new malware types are captured. That approach, if adopted broadly, might begin to even the playing field.

Paul Shomo is a senior technical manager at Guidance Software, Inc. He first joined Guidance's new product research group in 2006, which launched the industry's first incident response solution. For years Paul managed and architected cybersecurity and forensic products, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio