Under-appreciated Concept of Malware Intelligence.

March 21, 2011


One of the things that drives my research in relation to other technical research on malware that only tends to focus on the bits and the bytes is the fact that you can tell entire stories and interrelate seemingly disparate hostile acts of cyber aggression if you know enough and look long enough at the data right in front of you.

The concept of malware intelligence and connecting the dots after view many many samples seems to be under appreciated in the industry to a large extent.  Especially with AV vendors whose mission is to mainly focus on large prevalent threats and most of the Excellent stuff is never reported or just rubbed out of existence with ridiculous CARO naming convention names that mean nothing to the end user and speak nothing to the level of Weaponization of the malware nor its myriad of intelligence nuggets that can be found in its inner core.  Additionally where this information may be discovered, it is not correlated, shared, or discussed in the open.  The actors and organizations are given free reign to act in the shadows due to the fact that no one is actually pointing a finger in their direction and putting heat on them.  This is additionally true in the cybercrime area of malware development where many may know the actors responsible or behind networks however keep it private.    This only enables the sorry state of our situation where the game has completely changed and a tipping point (actually we are way past that) has occurred.  The ground has shifted under our feet and we are still not gauging how serious things are occurring.

GAMECHANGER: I am proposing that industry luminaries come together to create a highly technical Malware Intelligence Fusion Center with the express goal of bringing the special weaponization techniques to light and out in the open.  Identify and correlate the myriad of slipups that hostile actors use that can enable attribution whether it be embedded payload metadata, unique encryption, shellcode specifics, payload pedigrees, TTPs of hostile actors, and then tie these back to multi-INT sources of open source intelligence thus creating threat dossiers that can be leveraged for real world actions.

These cyber actions are done precisely because there is NO risk of consequence, They can operate in the dark because the industry allows them to.  They fail to focus on the fine technical details that might actually connect the dots and draw a bigger picture, then use that knowledge to force a change of behavior.   The numerous denials from various Foreign Ministers about how they would Never ever do these things is on its face wholly ridiculous, however when challenged after each attack, the victims simply let it go, they do not aggressively push for results, demand a change in behavior, or impose consequences collectively or individually.  Most will simply write up a small malware analysis report, not the C2 IP address for (blocking purposes) which is completely worthless and holds NO worth whatsoever in cyberdefense now as we speak.  Then they will post it somewhere and occasionally it will get referenced when next attack occurs.

The collective talent in the security and AV space is staggering, however with all that brain power not a single group or entity (save for possibly Mandiant) has truly tackled and provided a real Cyber Espionage Malware Intelligence capability that is worth much of anything.  If countries want to do the malware espionage game, then they will have to up their game and not get caught, or else all their information is identified and captured and made available to the community for the purposes of collective defense.  (think water buffaloes rallying around and protecting themselves when a pride of lions enters the area)

One of the problems is that much of this is done sort-of effectively in the military/intelligence space, however its pretty much akin to a group of lords and ladies all protected behind big stone walls while the barbarians ravage the countryside and pillage the peasants and merchant class.  This is Exactly what is occurring today, however the fallacy is thinking that the lords and ladies behind the walls are actually safe.  They are not.  They are under concerted siege, and only discovering the rotting diseased corpses that have been placed in the wells, and catapulted over the walls at night, and the assassin insiders that manipulate and kill from within.   Cyber espionage is at a risk of being over popularized to the point where now people hear of a major breach, roll their eyes and say O man not again.  O well.  It happens a lot and then proceed to blah blah about how they should have been secure.

Why has the public discussion not turned openly hostile, demanded action, demanded answers and started act in a more active defense posture towards this?  Currently there is very little open academic or public debate on the benefits of aggressive self defense.  I will say that the latest video where this poor fat kid is just getting the crap punched out of him by a sadistic yet smaller little bastard of a kid.  The fat kid finally say @#$@# and grabs the little pissant, heaves him up in the air and slams his ass on the hard concrete.    The bully then proceeds to do a ridiculous “I just got knocked the F&(k out!” wobble and the bullied kid walks away.

This should serve as a nice inspiration for an example in active defense but I doubt many think its time to work on these things.

My main purpose for this blog was to infect the blogosphere with memes’ and concepts to modify the way things are being done today in the realms of cyberwar/conflict and the sorry situation we are in.  I have proposed game changing concepts that seem to be so actively sought after by organizations like DARPA and NIST as well as others.   Based on the types of organizations that have actively followed this blog, I would say that some of the content has influenced actions or ideas and maybe just maybe planted seeds, where we can pivot from the old and emerge stronger and more active into the new paradigm we find ourselves in.

Many have inquired about the various sources of some of my previous posts.  You can piece together much of the cyber espionage program by researching a variety of sources such as ThreatExpert / Security research on zero-day exploits where they cover not only the embedded attacks, but analysis of the payloads, deep technical analysis on contagio’s web site samples.  Combine that with reports to congress on China, James M’s excellent reporting on behalf of NGC, Topical reports from InfoWar Monitor on GHOSTNET/Aurora/Nightdragon and others, as well as the Excellent malware analysis reports that where exposed due to HBGary’s colossal fuckup revealing new victims as well as in depth malware analysis reports from the targeted and thoroughly compromised Qinetiq organization that works in cyber defense,  Tieing that to the revelations of Wikileaks which exposed methods and code names and past attacks and timelines, along with the excellent reports that Mandiant puts out, and you can easily combine it with the full bevy of open source social networking research to make and tell a wonderful fact based story and connect the dots.  The fact that attackers suck so much at their job (or don’t care about operational security) or that we are just so good and putting the pieces together makes for interesting days.

We shall see how the RSA thing pans out, however there are more “invasions” BTW that’s what China calls computer intrusions…. than you can shake a stick at and we and our allies will be doing post mortem until the cows come home.  In the mean time those little bastards will continue to steal our data on the hosts You Are not looking at.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: