Changing the debate..

April 23, 2009

So Brian Krebs Joe Stewart about his upcoming presentation at RSA and changing the way we do business in the realm of passive/aggressive cyberwar.

Time for an Internet A-Team?

It was a pretty good article.

I posted a challenge to them to continue the debate in a regular series working through the ins and outs and thought memes that will really serve to perculate and become real game changers. I even offered to host their data on these bad actors on my site.

As you know we have our SPOTLIGHT SHINE Bright Series that has its goals of identifying and disrupting these bad actors.

I also requested that they come on here and let me interview them to explore these new concepts and challenge them to stretch the bounds of their operational constructs.  I would like to bounce some of my ideas around an echo chamber with Joe’s since we are both idea guys and see what could be possible in the real world.

The ….

Hackers Swipe Terabytes of Sensitive Pentagon Data

Apparently the has been hacked multiple times.  Nice :(  Way to go with maintaining our pointy tip of the spear.  You develop, we rip it from you.  Billions in R&D lost.  However if I was on the other side of the fence, and I had the capabilities I would steal it from you to if I knew you were too gutless to stop me or fight back.


This is entirely possible.  I was on a proactive malware seek and destroy digital forensics team for a major defense contractor where we found some of our workers doing DEVELOPMENT work via AirForce Virtual Private Network remote access on small little systems such as AirForce One, the B-52, the Prowler and other air based electronic attack platforms and systems.

The developer was going out getting all kinds of little opensource and development tools and using them in his work, and somehow got all munged up with a malware infestation. Needless to say we escalated that quickly however it amplifies the seriousness of if you get compromised and what can happen.

Firms like Northrop, Lockheed, BAE, Boeing are supposed to be the best in the cyber business but with firms so large and expertise so sparse, you cant guard everything all the time constantly.  Theres lots of technical solutions for things however budgets are sparse and will is low, and Beauracracy is RAMPANT.  Process and Rules choke out agility and innovation.

At the end of the day I believe game changers are needed to begin the targeted and offensive attacks of known cyber operators that are doing this for profit and espinage gain.  I mean doing really bad things to these people and their systems and organizations.


The gauntlet is thrown, you have been slapped, what the fuck are you going to do about it…


So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.


Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.


HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.


I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.


Get every new post delivered to your Inbox.