Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
4/22/2015
10:35 AM
John Bambenek
John Bambenek
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

The Rise of Counterintelligence in Malware Investigations

The key to operationalizing cybersecurity threat intelligence rests in the critical thinking that establishes that a given indicator is, in fact, malicious.

There has been a great deal of talk about the emerging field of cybersecurity threat intelligence in recent years. CTI is the application of intelligence tactics to gain insights on adversarial actors and their tools, techniques, and procedures. However, one aspect that’s not frequently discussed is the use of counterintelligence tactics by both the defender and the adversary.

One of the chief problems in both digital forensics and CTI is that much of the data we need to analyze is under the control of the adversary, who has the means and motive to deceive. For instance, it is not atypical to see malware that has large detailed functions that are never called upon in the real world and exist only to make malware researchers waste time figuring them out.

Most dynamic malware detection solutions will search for any network connectivity that malware makes. However, what they don’t do is determine if the network connectivity is actual malicious traffic or if it is a false trail. Malware can generate a smoke screen of DNS queries and network traffic simply to hide the “real” malicious traffic in a stream of noise that makes it difficult to reverse engineer.

In fact, it’s not unusual for malware to generate traffic to mock various individuals or companies. This is not limited to network traffic; it could be strings in the binary, user-agents, WHOIS data, or anything that can be manufactured to waste the time of the researcher or to troll others.

While amusing, there are far more destructive forms of deception that can and have been employed. If organizations are not scrutinizing the processing of their data, malicious threat actors can poison it to cause outage events.

For instance, if an organization processes lists of known malicious domains -- and bear in mind that attackers also know of these malicious domains -- an attacker could have a few of those domains resolve to IP addresses of important infrastructure. As an example, if an organization simply resolves malicious domains to IPs, then the IPs feed firewalls automatically. One of the resolved IPs points to the organization’s own DNS server, which very quickly results in a significant outage event.

If WHOIS data is forged (which is easy to do), it is possible to direct legal action toward an innocent individual or entity. Even domain generation algorithms (DGAs) -- particularly ones that use wordlists -- could lead to a DGA generating an actually “good” domain name that may get caught up in an automated blocklist.

For CloudFlare hosted domains, “direct” is a default hostname that normally points directly to the actual machine that would otherwise be obfuscated by CloudFlare (e.g. direct.SOMEDOMAIN.com). This is obviously configurable, and a malicious actor could simply point that to an innocent third-party machine. If a researcher is sloppy, he or she could take action against that innocent machine and its owner.

The key to operationalizing CTI rests not simply in generating indicators of compromise; the key rests in the critical thinking that establishes the confidence that a given indicator is, in fact, malicious. Far too many organizations and researchers simply mine for indicators and use those indicators without scrutiny. Malicious actors know this, and it seems like they are starting to use that against us.

 

John Bambenek is a Senior Threat Researcher at Fidelis Cybersecurity. His areas of specialty include digital forensics, global cybercrime investigation, and threat intelligence. He has developed open source feeds of threat intelligence data and works with law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
4/22/2015 | 7:13:31 PM
The Black Hats Have the Floor
I couldn't agree more.  As a casual observer, I've been critical of CTI exactly because of what the Black Hatters are taking advantage of.  Data mining, analysis and intelligence must be aggressive and reach out beyond the confines of indicators - something often left to the human interpreter of data, but that can also be programmed, the right mind behind the code.  This means a combination of things, 1) that CTI needs to be realtime - alerting trained ethical hackers 24/7 of an incident in progress, and 2) that those ethical hackers actively engage the intruders using CTI and realtime offensive strategies to push back.  

Yes, as has been raised many times we are often found with our hands tied when it comes to offensive response to Black Hat activity, but as the other side becomes more shrewd and takes advantage of the limitations of the cyber security policies and procedures we execute within the strict letter of the law, it becomes more than evident that something needs to change, whether that is policy, law or to whom we turn to take on the Black Hats who think there is nothing preventing them from intruding in our cyberspace.  The key is, like a police officer pursuing a fleeing suspect from the scene of a crime, active pursuit using the most bleeding-edge network data analysis tools while also having a weapon on the hip, just in case.

With targets like power grids and nuclear refineries out there, I don't see how we can't step up our response. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...