The quantity and delicate nature of the records stolen from the Office of Personnel Management (OPM), for me, make it the most meaningful breach of 2015. This story hit close to home for a couple of reasons. Having the benefit of inside sources, I was quoted by the media days after the attack, stating that the Chinese-made PlugX RAT (remote access terminal malware) was involved. Upon researching the history of this Trojan, I was shocked to see its author’s career timeline exactly paralleled mine.
As a software R&D guy, I know that an idea on a whiteboard can take years before the code is not only written, but the product adopted, and used enough to appear in the news. So I react differently to news stories such as those about the OPM hack. While others consider the present and future implications, I often ponder the technology’s incubation period stretching back years prior.
Trend Micro first discovered the PlugX RAT in 2008 and attributed it to Chinese syndicates. Coincidentally, this was also the Year of the Rat in the Chinese zodiac. The Year of the Rat is not all about PlugX; the first advanced persistent threats (APTs) were also being enhanced during this period. The work performed by these noteworthy malware authors was presumably fueled by an increase in Chinese state funding.
Having some feel for the lifecycle of software, I presume PlugX’s authors were developing this malicious code in 2007. Coincidentally, I mirrored my black hat doppelganger that year. I had just been recruited into Guidance Software to work on the industry’s first incident response (IR) product. Today, analysts project the IR market to grow to $14 billion by 2017, but nine years ago, the product we originally named Automated Incident Response (AIR) attracted wisecracks.
Given that they prefer to labor in anonymity, our black hat counterparts surely avoid these challenges. Relieved of the burden of educating risk-averse decision makers, or of battling for inclusion in customer budgets, my agile counterparts simply handed PlugX to sophisticated bad actors who branded cyberspace with their accomplishment.
As my years in R&D have marched on, I’ve spent much time contemplating the natural advantages held by my dark side counterparts. While the detection and response industry broadcasts its every innovation from the mountain tops, black hats work under the cover of darkness. The security industry is probably doing a better job of sharing threat intelligence, but we’re also sharing with the enemy.
An increase in industry spending has brought many talented software developers into the employ of detection and response security vendors. That said, one only needs to peer into a malware production outfit like the recently breached Hacking Team to see that the other side employs the same type of software developers that we do.
Black hats have countered signature-based detection the way I would expect. They’ve developed toolkits like PlugX or DarkComet that spit out zero-day variants in minutes. Whether you’re talking about bypassing simple antivirus detection by producing a new file-hash variants, or bypassing sophisticated indicator of compromise (IOC) detection by switching approaches to process injection, these toolkits can vary an attack with the push of the button.
Mikko Hypponen, in a famous 2012 MIT Technology Review article on the advanced malware Flame, got it right when he declared, “The Antivirus Era Is Over.” Symantec Senior VP Brian Dye might well have sighed when he echoed the same sentiment last May.
There will always be a resource-constrained portion of the industry that simply dissuades low-level attackers with signatures and perimeter defenses. But those with profiles high enough to entice truly sophisticated or state-sponsored actors know full well there is an active battlefield inside their networks. These cybersecurity professionals have resigned themselves to the reality of good old-fashioned hand-to-hand combat.
Big data analytics and machine learning are no magic pills, but will help narrow down false positives and better detect anomalies. To really turn the tide, we need products that are flexible platforms that support communities of researchers. Instead of leveraging the community only for fresh signatures, vendor app stores should allow new detection approaches to be delivered directly to customers as quickly as new malware types are captured. That approach, if adopted broadly, might begin to even the playing field.