Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:35 AM
John Bambenek
John Bambenek
Partner Perspectives
Connect Directly

The Rise of Counterintelligence in Malware Investigations

The key to operationalizing cybersecurity threat intelligence rests in the critical thinking that establishes that a given indicator is, in fact, malicious.

There has been a great deal of talk about the emerging field of cybersecurity threat intelligence in recent years. CTI is the application of intelligence tactics to gain insights on adversarial actors and their tools, techniques, and procedures. However, one aspect that’s not frequently discussed is the use of counterintelligence tactics by both the defender and the adversary.

One of the chief problems in both digital forensics and CTI is that much of the data we need to analyze is under the control of the adversary, who has the means and motive to deceive. For instance, it is not atypical to see malware that has large detailed functions that are never called upon in the real world and exist only to make malware researchers waste time figuring them out.

Most dynamic malware detection solutions will search for any network connectivity that malware makes. However, what they don’t do is determine if the network connectivity is actual malicious traffic or if it is a false trail. Malware can generate a smoke screen of DNS queries and network traffic simply to hide the “real” malicious traffic in a stream of noise that makes it difficult to reverse engineer.

In fact, it’s not unusual for malware to generate traffic to mock various individuals or companies. This is not limited to network traffic; it could be strings in the binary, user-agents, WHOIS data, or anything that can be manufactured to waste the time of the researcher or to troll others.

While amusing, there are far more destructive forms of deception that can and have been employed. If organizations are not scrutinizing the processing of their data, malicious threat actors can poison it to cause outage events.

For instance, if an organization processes lists of known malicious domains -- and bear in mind that attackers also know of these malicious domains -- an attacker could have a few of those domains resolve to IP addresses of important infrastructure. As an example, if an organization simply resolves malicious domains to IPs, then the IPs feed firewalls automatically. One of the resolved IPs points to the organization’s own DNS server, which very quickly results in a significant outage event.

If WHOIS data is forged (which is easy to do), it is possible to direct legal action toward an innocent individual or entity. Even domain generation algorithms (DGAs) -- particularly ones that use wordlists -- could lead to a DGA generating an actually “good” domain name that may get caught up in an automated blocklist.

For CloudFlare hosted domains, “direct” is a default hostname that normally points directly to the actual machine that would otherwise be obfuscated by CloudFlare (e.g. direct.SOMEDOMAIN.com). This is obviously configurable, and a malicious actor could simply point that to an innocent third-party machine. If a researcher is sloppy, he or she could take action against that innocent machine and its owner.

The key to operationalizing CTI rests not simply in generating indicators of compromise; the key rests in the critical thinking that establishes the confidence that a given indicator is, in fact, malicious. Far too many organizations and researchers simply mine for indicators and use those indicators without scrutiny. Malicious actors know this, and it seems like they are starting to use that against us.


John Bambenek is a Senior Threat Researcher at Fidelis Cybersecurity. His areas of specialty include digital forensics, global cybercrime investigation, and threat intelligence. He has developed open source feeds of threat intelligence data and works with law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/22/2015 | 7:13:31 PM
The Black Hats Have the Floor
I couldn't agree more.  As a casual observer, I've been critical of CTI exactly because of what the Black Hatters are taking advantage of.  Data mining, analysis and intelligence must be aggressive and reach out beyond the confines of indicators - something often left to the human interpreter of data, but that can also be programmed, the right mind behind the code.  This means a combination of things, 1) that CTI needs to be realtime - alerting trained ethical hackers 24/7 of an incident in progress, and 2) that those ethical hackers actively engage the intruders using CTI and realtime offensive strategies to push back.  

Yes, as has been raised many times we are often found with our hands tied when it comes to offensive response to Black Hat activity, but as the other side becomes more shrewd and takes advantage of the limitations of the cyber security policies and procedures we execute within the strict letter of the law, it becomes more than evident that something needs to change, whether that is policy, law or to whom we turn to take on the Black Hats who think there is nothing preventing them from intruding in our cyberspace.  The key is, like a police officer pursuing a fleeing suspect from the scene of a crime, active pursuit using the most bleeding-edge network data analysis tools while also having a weapon on the hip, just in case.

With targets like power grids and nuclear refineries out there, I don't see how we can't step up our response. 
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-19
loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
PUBLISHED: 2021-09-19
All versions of package com.jsoniter:jsoniter are vulnerable to Deserialization of Untrusted Data via malicious JSON strings. This may lead to a Denial of Service, and in certain cases, code execution.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.