Tuesday, April 19, 2011

Is APT really about the person and not the malware?

Maybe the “APT is person not malware” pendulum is swinging to the extreme. Understandably it’s a response to commercial enterprises being obsessed with pure-play malware detection. But what is the alternative? Spend tons of money on consulting and RE/forensic services for years on end? Customers are tired of paying for that. They must build a security methodology that accounts for persistent attackers – something that can be managed internally and that leverages automated detection as much as possible. To that end, detecting APT must include the malware, tools, and codified threat intelligence.

As tired as it is, the ‘hacking exposed’ story hasn’t changed. We must continue to highlight that a real criminal is at the other end of the keyboard, and that he is persistent and will keep coming back. We know that he will use more than one tool, more than one method of entry, and he won’t go away no matter what kind of malware detection you have. But the idea that it’s all about the human and not malware or TTP’s is simply untrue. Malware and TTP’s have a critical role to play in combating APT.

To date this year, HBGary has identified and tracked multiple human threat actors using the science of attribution, many of them operating overseas. Our attribution begins with profiling the CnC, the developer toolmarks, and forensic artifacts left behind after an intrusion. While some RAT’s are “easy to detect - difficult to attribute” (i.e., poison ivy) we have also found modified and custom tools that contain unique indicators. This information can be used along with open source intelligence and link analysis (we heart Maltego) to locate online identities, forums, and social spaces. This can lead to the discovery of real identities – the attacker’s real name, address, and even photographs.

It makes no sense to separate the human from the malware and TTP’s. They are two ends of the same spectrum. This is not a black and white science; it works because humans aren’t perfect. It works because humans are creatures of habit and tend to use what they know. They use the same tools every day and don’t rewrite their malware every morning. They don’t have perfect OPSEC. They put their digital footprints out on the Internet long ago – and it’s usually just a few clicks away from discovery. There is a reflection of the threat actor behind every intrusion. To discount this is to discount forensic science.

Digital attribution is important because it scales. An army of consultants watching your network does not scale, they don’t share their threat data, and they’re expensive. Couple that with out of date methods for determining a breach (imaging a 500GB hard drive to find 200 bytes of actionable data) and you can see why customers want/need a better solution to empower their own teams. This is why researching automated methods for threat detection is so important. Threat detection leads to threat intelligence, actionable data you can feed back into your process to make it more difficult for the attacker to succeed in your network. For example, the endpoint physical memory can reveal decrypted CnC addresses that can plug directly into the perimeter IDS – making your existing investment smarter.

For me, the concept is clear – reverse engineer the endpoint hosts down to the rawest dataset. From this, automatically piece together the parts that appear to relate to suspicious activity. Map this against a database of known malicious behaviors – software, host, timeline, forensic, all of it. Do this automatically and alert on the outliers. HBGary’s Digital DNA does this by using a weighted fuzzy hash of the behaviors. Fuzzy hash because hashes are understood in the enterprise, and weighted because security is a risk management problem that begs for red/yellow/green. The result is huge scalability and effectiveness for a problem that is traditionally expensive and understaffed.

Tuesday, April 12, 2011

Two new threat intelligence papers CSO's will want to read

Industrial Espionage in the Global Energy Market

Since 2005, HBGary has been tracking variants of malware created and originated in China that indicate a complex cyber espionage operation targeting multiple industries, including the energy sector. In this new whitepaper, "Industrial Espionage in the Global Energy Market," HBGary provides technical details about these cyberattacks as well as the type of critical data targeted and successfully obtained and sent back to China. This report is restricted release to qualified executives, government, and law enforcement only. Available from hbgary.com

Threats in the Age of WikiLeaks

HBGary has released its threat report ‘Threats in the age of WikiLeaks’ – CSO's will want to read this report. Cyber-threats are evolving fast but we must stay ahead if we are to secure our information systems and our brands. With leak platforms (WikiLeaks, AnonLeaks, CrowdLeaks, InfoLeaks, People’s Liberation Front) comes the increased risk of insider threats and acts of information terrorism. Unlike traditional APT which damages over years, leak platforms represent immediate damage to stock value, profitability, and brand. Acts of cyber terrorism can disrupt systems and business continuity. To date, the severity of this threat has been underplayed in the press – this report exposes the true and dangerous nature of the threat. The report provides immediate and actionable data to help you detect potential insider threats and attacks. This report is restricted release to qualified executives, government, and law enforcement only. Available from hbgary.com

Friday, April 8, 2011

Rootkit Evolution

Over the last few years HBGary has researched significant advancements in rootkit technology. We are pushing the envelope of what’s possible in the windows kernel. I’m glad to say that we haven’t seen anything in the wild that is remotely close to what we have developed in our labs. So, we are still ahead of the threat. This keeps our Digital DNA ‘frosty’ so-to-speak, but probably further ahead of the threat curve than it needs to be. That’s not a bad thing for people protecting against APT – we want to stay one step ahead of the bad guys. For those who have followed my work in rootkits over the years you probably noticed I stopped releasing public material on the subject years ago. This is because I didn't want to educate the bad guys on how to develop this stuff. But, that doesn’t mean the research has stopped – just that some things should only be briefed behind closed doors.