The Conundrum of Detection and Intelligent Response
March 21, 2011
One of the most vexing and frustrating (for many) aspects of cyber espionage intrusion response is the ongoing debate over whether or not samples discovered should be submitted to AV companies. Obviously what would happen is that at some point most likely an automatic process would engage and some type of generic signature would be generated marking it and its variants as malicious. The hosts monitored would then detect and delete the sample, the smart CNE operator would detect this, and then modify his sample for new and undetected attacks.
One of the primary worries by many is “We don’t want them evolving! It will be to hard to find and detect!” Therefore lets not up the ante by forcing them to evolve. Well, has that helped the situation at all? NO. Has that stemmed the massive data loss. NO. Sure its easier to analyze samples when they are not packed, and the code is easy to read.
Groups like Mandiant and others working investigative forensic response have seen samples become detected and the adversaries entrench deeper, and modify their malware which foils an effective response and they have to start their intelligence collection cycle again before they can do a proper remediation. Of course this would help their billings, but it really doesn’t help the poor victims and it does not stem the data loss and it certainly does not get them out.
In light of this issue I propose a concept I have been espousing for a while.
GAMECHANGER: Out of Band CyberEspionage Malware notification/alert system for AV security endpoint agents.
Currently victims don’t want to reveal their malware and all its nefarious tricks to AV companies for fear of it pooching a remediation effort. AV systems typically detect threat and delete, simple as that. Usually admins don’t even look at the AV logs and even then the information is usually not much use. Ironically the consumer AV product offerings are more descriptive than the commercial ones.
What is needed is for AV companies to have an option so that anytime a specific espionage malware related event occurs, the customer has registered a hotline number and POC that can be registered for example the CISO, or one of their lead investigators who will be notified in an out of band fashion. Detection of this malware would do simply that, Detect and report via out of band. It will never block it, alert it, report it, share it, or raise any results whatsoever on a scan event. The ONLY communication will be from the AV vendor directly via encrypted out of band communication to the registered POC who would be very cognizant of the importance of this particular threat. Well one would ask, what exactly gets detected signature wise for this type of event? It could consist of in the cloud “highly sensitive signatures” that are developed as a result of espionage related incident investigations with a focus on custom malware and malware that is openly available, however used predominately by cyber espionage actors. The malware sample set could include hashes, IP and domain lists, detection of very specific techniques, signatures, ectera that would constitute a compilation of intelligence that is several orders of magnitude smaller than all the copious amounts of cybercrime information that is prevalent today. This small data set of intelligence if generated by authoritative sources in a collaborative fashion, combined with a secure and intelligent way would allow for rapid notification to a organization UHhhh You got some Serious Problems going on, PLA is all up in yoZ SHIT. This could dramatically change the balance of power.
Investigators would be free to segregate and label samples as espionage-ware if properly vetted, highly advanced analytical resources can then collaboratively rip apart samples to a much more in depth technical level, and resources would have a higher qualitative return on investment due to the fact that they are not wasting time with crap, and focusing on a much smaller set of highly damaging threats. (Have you noticed that AV Threat Scores are worthless???) Ironically the smaller the prevalence of the malware threat (APT —-> ) leads to AV vendors saying it is a low, very low threat. Well not when its shunting Joint Strike Fighter data to Beijing its not. Get with the program. Granted AV companies dont give a crap about the US Government. They are global in nature and have millions of customers. A targeted attack, being thats its well, targeted, only might impact .005 percent of their customers. However Threat ratings are still stuck in the worm days and have not evolved appreciably in years…
At the end of the day this will allow organizations to save a ton of money and resources where currently they are trying to cobble together, buy/build their own internal VirusTotal systems on the back end (a Ridiculous effort and waste) and proceed with half ass implementations of their own sandbox systems for fear that AV companies will report this out to the world and by nature of their products tip off the attackers that they have been discovered.
This would also prevent allow for intelligent threat driven TRIAGE of their malcode events allowing them the freedom of action to handle each and every event the way THEY want to. Allowing them to capture memory first, collect a forensic image, or say monitor network traffic for a time to profile the attack, or conduct active defense actions by infiltrating the C2 channels/distrupting the hostile infrastructures. and allow for capture and analysis of the compromised hop point that will reveal the origins of the TRUE attackers.
I know this blog gets lots of readers however it gets VERY little active discussion and feedback. This is a dam shame. If you know of any open blogs that actually these issues seriously and discuss them in depth and are willing to address the bugaboo in the room then let me know and I will link them. I would be AV companies are sitting on a ton of APT malware that they have no clue as to the operational context….
It’s high time you stop getting events labeled trojan.generic and Backdoor.ckb Come on man that’s just crap. Customers should demand better.
At the end of the day I guess, I am really just planting seeds..