Veiled Shadows

After 20 years of security incidents, the security industry is finally figuring out that they might benefit from sharing data and using modern technology to change the game and start getting some industry Synergies going to combat the scale and scope of cyber crime and damaging incidents that scourge each country and its citizens.

Here is a post from McAfee’s research blog that discusses it.  This effort brushes the surface of work I have been doing on a concept of Malware DNA but on a grander scale and a much broader vision that involves the operationalization of malware intelligence.

Malware information via characteristics and functions are encoded in a specialized bitstring that maps to a XML Schema and backend database with elements pulled directly from the numerous research reports put out over the years on malware and what its TACTICS TECHNIQUES AND PROCEDURES are.

Here is the post. This idea has huge potential for research and is truly a gamechanger.

Malware and standards – is it possible?

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here