Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/5/2016
10:30 AM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Technologies Incubated A Decade Ago Shape The World Today

The security industry is doing a better job of sharing threat intelligence than ever before, but we're also sharing with the enemy.

The quantity and delicate nature of the records stolen from the Office of Personnel Management (OPM), for me, make it the most meaningful breach of 2015. This story hit close to home for a couple of reasons. Having the benefit of inside sources, I was quoted by the media days after the attack, stating that the Chinese-made PlugX RAT (remote access terminal malware) was involved. Upon researching the history of this Trojan, I was shocked to see its author’s career timeline exactly paralleled mine.

As a software R&D guy, I know that an idea on a whiteboard can take years before the code is not only written, but the product adopted, and used enough to appear in the news. So I react differently to news stories such as those about the OPM hack. While others consider the present and future implications, I often ponder the technology’s incubation period stretching back years prior.

Trend Micro first discovered the PlugX RAT in 2008 and attributed it to Chinese syndicates. Coincidentally, this was also the Year of the Rat in the Chinese zodiac. The Year of the Rat is not all about PlugX; the first advanced persistent threats (APTs) were also being enhanced during this period. The work performed by these noteworthy malware authors was presumably fueled by an increase in Chinese state funding.

Having some feel for the lifecycle of software, I presume PlugX’s authors were developing this malicious code in 2007. Coincidentally, I mirrored my black hat doppelganger that year. I had just been recruited into Guidance Software to work on the industry’s first incident response (IR) product. Today, analysts project the IR market to grow to $14 billion by 2017, but nine years ago, the product we originally named Automated Incident Response (AIR) attracted wisecracks.

Given that they prefer to labor in anonymity, our black hat counterparts surely avoid these challenges. Relieved of the burden of educating risk-averse decision makers, or of battling for inclusion in customer budgets, my agile counterparts simply handed PlugX to sophisticated bad actors who branded cyberspace with their accomplishment.

As my years in R&D have marched on, I’ve spent much time contemplating the natural advantages held by my dark side counterparts. While the detection and response industry broadcasts its every innovation from the mountain tops, black hats work under the cover of darkness. The security industry is probably doing a better job of sharing threat intelligence, but we’re also sharing with the enemy.

An increase in industry spending has brought many talented software developers into the employ of detection and response security vendors. That said, one only needs to peer into a malware production outfit like the recently breached Hacking Team to see that the other side employs the same type of software developers that we do.

Black hats have countered signature-based detection the way I would expect. They’ve developed toolkits like PlugX or DarkComet that spit out zero-day variants in minutes. Whether you’re talking about bypassing simple antivirus detection by producing a new file-hash variants, or bypassing sophisticated indicator of compromise (IOC) detection by switching approaches to process injection, these toolkits can vary an attack with the push of the button.

Mikko Hypponen, in a famous 2012 MIT Technology Review article on the advanced malware Flame, got it right when he declared, “The Antivirus Era Is Over.” Symantec Senior VP Brian Dye might well have sighed when he echoed the same sentiment last May.

There will always be a resource-constrained portion of the industry that simply dissuades low-level attackers with signatures and perimeter defenses. But those with profiles high enough to entice truly sophisticated or state-sponsored actors know full well there is an active battlefield inside their networks. These cybersecurity professionals have resigned themselves to the reality of good old-fashioned hand-to-hand combat.

Big data analytics and machine learning are no magic pills, but will help narrow down false positives and better detect anomalies. To really turn the tide, we need products that are flexible platforms that support communities of researchers. Instead of leveraging the community only for fresh signatures, vendor app stores should allow new detection approaches to be delivered directly to customers as quickly as new malware types are captured. That approach, if adopted broadly, might begin to even the playing field.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.