Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:35 AM
John Bambenek
John Bambenek
Partner Perspectives
Connect Directly

The Rise of Counterintelligence in Malware Investigations

The key to operationalizing cybersecurity threat intelligence rests in the critical thinking that establishes that a given indicator is, in fact, malicious.

There has been a great deal of talk about the emerging field of cybersecurity threat intelligence in recent years. CTI is the application of intelligence tactics to gain insights on adversarial actors and their tools, techniques, and procedures. However, one aspect that’s not frequently discussed is the use of counterintelligence tactics by both the defender and the adversary.

One of the chief problems in both digital forensics and CTI is that much of the data we need to analyze is under the control of the adversary, who has the means and motive to deceive. For instance, it is not atypical to see malware that has large detailed functions that are never called upon in the real world and exist only to make malware researchers waste time figuring them out.

Most dynamic malware detection solutions will search for any network connectivity that malware makes. However, what they don’t do is determine if the network connectivity is actual malicious traffic or if it is a false trail. Malware can generate a smoke screen of DNS queries and network traffic simply to hide the “real” malicious traffic in a stream of noise that makes it difficult to reverse engineer.

In fact, it’s not unusual for malware to generate traffic to mock various individuals or companies. This is not limited to network traffic; it could be strings in the binary, user-agents, WHOIS data, or anything that can be manufactured to waste the time of the researcher or to troll others.

While amusing, there are far more destructive forms of deception that can and have been employed. If organizations are not scrutinizing the processing of their data, malicious threat actors can poison it to cause outage events.

For instance, if an organization processes lists of known malicious domains -- and bear in mind that attackers also know of these malicious domains -- an attacker could have a few of those domains resolve to IP addresses of important infrastructure. As an example, if an organization simply resolves malicious domains to IPs, then the IPs feed firewalls automatically. One of the resolved IPs points to the organization’s own DNS server, which very quickly results in a significant outage event.

If WHOIS data is forged (which is easy to do), it is possible to direct legal action toward an innocent individual or entity. Even domain generation algorithms (DGAs) -- particularly ones that use wordlists -- could lead to a DGA generating an actually “good” domain name that may get caught up in an automated blocklist.

For CloudFlare hosted domains, “direct” is a default hostname that normally points directly to the actual machine that would otherwise be obfuscated by CloudFlare (e.g. direct.SOMEDOMAIN.com). This is obviously configurable, and a malicious actor could simply point that to an innocent third-party machine. If a researcher is sloppy, he or she could take action against that innocent machine and its owner.

The key to operationalizing CTI rests not simply in generating indicators of compromise; the key rests in the critical thinking that establishes the confidence that a given indicator is, in fact, malicious. Far too many organizations and researchers simply mine for indicators and use those indicators without scrutiny. Malicious actors know this, and it seems like they are starting to use that against us.


John Bambenek is a Senior Threat Researcher at Fidelis Cybersecurity. His areas of specialty include digital forensics, global cybercrime investigation, and threat intelligence. He has developed open source feeds of threat intelligence data and works with law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/22/2015 | 7:13:31 PM
The Black Hats Have the Floor
I couldn't agree more.  As a casual observer, I've been critical of CTI exactly because of what the Black Hatters are taking advantage of.  Data mining, analysis and intelligence must be aggressive and reach out beyond the confines of indicators - something often left to the human interpreter of data, but that can also be programmed, the right mind behind the code.  This means a combination of things, 1) that CTI needs to be realtime - alerting trained ethical hackers 24/7 of an incident in progress, and 2) that those ethical hackers actively engage the intruders using CTI and realtime offensive strategies to push back.  

Yes, as has been raised many times we are often found with our hands tied when it comes to offensive response to Black Hat activity, but as the other side becomes more shrewd and takes advantage of the limitations of the cyber security policies and procedures we execute within the strict letter of the law, it becomes more than evident that something needs to change, whether that is policy, law or to whom we turn to take on the Black Hats who think there is nothing preventing them from intruding in our cyberspace.  The key is, like a police officer pursuing a fleeing suspect from the scene of a crime, active pursuit using the most bleeding-edge network data analysis tools while also having a weapon on the hip, just in case.

With targets like power grids and nuclear refineries out there, I don't see how we can't step up our response. 
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-27
IBM Cloud Pak for Security (CP4S) could allow a remote user to obtain sensitive information from HTTP response headers that could be used in further attacks against the system.
PUBLISHED: 2021-01-27
IBM Cloud Pak for Security (CP4S) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-For...
PUBLISHED: 2021-01-27
IBM Cloud Pak for Security (CP4S) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
PUBLISHED: 2021-01-27
IBM Cloud Pak for Security (CP4S) could disclose sensitive information through HTTP headers which could be used in further attacks against the system. IBM X-Force ID: 192425.
PUBLISHED: 2021-01-27
Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field.