Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Paul Shomo
Paul Shomo
Connect Directly
E-Mail vvv

How Technologies Incubated A Decade Ago Shape The World Today

The security industry is doing a better job of sharing threat intelligence than ever before, but we're also sharing with the enemy.

The quantity and delicate nature of the records stolen from the Office of Personnel Management (OPM), for me, make it the most meaningful breach of 2015. This story hit close to home for a couple of reasons. Having the benefit of inside sources, I was quoted by the media days after the attack, stating that the Chinese-made PlugX RAT (remote access terminal malware) was involved. Upon researching the history of this Trojan, I was shocked to see its author’s career timeline exactly paralleled mine.

As a software R&D guy, I know that an idea on a whiteboard can take years before the code is not only written, but the product adopted, and used enough to appear in the news. So I react differently to news stories such as those about the OPM hack. While others consider the present and future implications, I often ponder the technology’s incubation period stretching back years prior.

Trend Micro first discovered the PlugX RAT in 2008 and attributed it to Chinese syndicates. Coincidentally, this was also the Year of the Rat in the Chinese zodiac. The Year of the Rat is not all about PlugX; the first advanced persistent threats (APTs) were also being enhanced during this period. The work performed by these noteworthy malware authors was presumably fueled by an increase in Chinese state funding.

Having some feel for the lifecycle of software, I presume PlugX’s authors were developing this malicious code in 2007. Coincidentally, I mirrored my black hat doppelganger that year. I had just been recruited into Guidance Software to work on the industry’s first incident response (IR) product. Today, analysts project the IR market to grow to $14 billion by 2017, but nine years ago, the product we originally named Automated Incident Response (AIR) attracted wisecracks.

Given that they prefer to labor in anonymity, our black hat counterparts surely avoid these challenges. Relieved of the burden of educating risk-averse decision makers, or of battling for inclusion in customer budgets, my agile counterparts simply handed PlugX to sophisticated bad actors who branded cyberspace with their accomplishment.

As my years in R&D have marched on, I’ve spent much time contemplating the natural advantages held by my dark side counterparts. While the detection and response industry broadcasts its every innovation from the mountain tops, black hats work under the cover of darkness. The security industry is probably doing a better job of sharing threat intelligence, but we’re also sharing with the enemy.

An increase in industry spending has brought many talented software developers into the employ of detection and response security vendors. That said, one only needs to peer into a malware production outfit like the recently breached Hacking Team to see that the other side employs the same type of software developers that we do.

Black hats have countered signature-based detection the way I would expect. They’ve developed toolkits like PlugX or DarkComet that spit out zero-day variants in minutes. Whether you’re talking about bypassing simple antivirus detection by producing a new file-hash variants, or bypassing sophisticated indicator of compromise (IOC) detection by switching approaches to process injection, these toolkits can vary an attack with the push of the button.

Mikko Hypponen, in a famous 2012 MIT Technology Review article on the advanced malware Flame, got it right when he declared, “The Antivirus Era Is Over.” Symantec Senior VP Brian Dye might well have sighed when he echoed the same sentiment last May.

There will always be a resource-constrained portion of the industry that simply dissuades low-level attackers with signatures and perimeter defenses. But those with profiles high enough to entice truly sophisticated or state-sponsored actors know full well there is an active battlefield inside their networks. These cybersecurity professionals have resigned themselves to the reality of good old-fashioned hand-to-hand combat.

Big data analytics and machine learning are no magic pills, but will help narrow down false positives and better detect anomalies. To really turn the tide, we need products that are flexible platforms that support communities of researchers. Instead of leveraging the community only for fresh signatures, vendor app stores should allow new detection approaches to be delivered directly to customers as quickly as new malware types are captured. That approach, if adopted broadly, might begin to even the playing field.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...