So the tranference of data into information, and information into knowledge that operational people can use to better defend and respond to malware is critical.  Assuming that the concept of a centralized Malware DNA database can get off the ground, and we dont have 50 different competing versions, the next logical step is crafting an operational Vision to unify the concept and actually make it useful. 

Here is an overview of one such method.

The Crucial “Digital Genome Sequencing Methodology” advances the established highly technical field of malware analysis by revolutionizing the current operational methods for communicating, collaborating, and sharing critical intelligence about malicious code. This new communications model is comprised of the following key components:

  • A Digital Genome Sequence data representation standard collaboratively established through an expert network of malicious code analysts and implemented as a unique binary bitstream for the description of malware along with its hash and fuzzy hash signatures.
  • A knowledge base repository of malware DNA traits comprising characteristics and functions. Characteristics are what the malware looks like, functions represent the potentially hostile effects that can impact operations.
  • An XML Malware DNA Trait data schema to parse the malware bitstream and represent it to applications for operational use. This schema will translate the bitstream into technical intelligence by presenting detailed information about each trait.
  • A distributed Malware Intelligence Fusion Dashboard application implements the XML schema and communicates the analytical information to the operator as an intelligence dossier about the malware sample.
  • A Malware Analyst Workbench component within the dashboard will allow analysts to retrieve a malware sample during analysis and author the digital genome sequence data by selecting DNA traits as they are discovered allowing for constant sample refinement in collaboration with other analysts who can securely discuss the markup process.
  • The Malware Dossier is constructed of DNA traits fused together with previously derived cyber-intelligence related to that sample and delivered as analytical product for total situational awareness.
  • An Operational Impact Score is generated for the cyber-operator based on a weighted scoring algorithm that evaluates the likelihood of code being malicious based on its characteristics, functions, and historical cyber-intelligence compared to its delivery vector and operational targeting of critical assets, organizations, data, or operations.

This “Offense informs Defense” approach allows for commanders to effectively plan for agile cyber-defense and conduct precise cyber-targeting in support of counter-force and counter-intelligence actions.

The collaborative approach to analysis and communication of malware DNA traits is the only realistic and scalable solution to a critical national security problem that threatens to blunt the ability to protect national interests and erosion of the scientific and technological advantage gained through expensive research and development.

Any knowledgebase is only as good as the collaborative work that is entered into it by the hardworking and pioneering analysts that currently research new malware tactics, techniques, and procedures.  I will be issuing this invitation to reversers and analysts that I have respected and read about while doing my research.  It is my hope that a small portion of these researchers will accept this role and help guide the open source generation of the worlds largest malware DNA knowledge base.

Here is the list in no particular order: 

  • Phil Wallisch – HBGary
  • Lorenzo Kucaric – Crucial Security
  • Michael Troutman – Crucial Security
  • Nick Harbor – Mandiant
  • Jorge Mieres
  • Tom Liston
  • Giuseppe Bonfa (Evil Cry)
  • Frank Boldewin
  • Alex Lanstein – Fireeye
  • Atif Mushtaq – Fireeye
  • Julia Wolf – Fireeye
  • Dider Stevens
  • Paul Royal
  • Danny Quist – Offensive Computing
  • Marco Cova
  • Ero Carrera
  • Joe Stewart – SecureWorks
  • Anushree Reddy
  • Dancho Danchev
  • Peter Kleissner
  • Ivan Kirillov – MITRE MAEC
  • Dr. Michael VanPutte – DARPA Cyber Genome

This list is not complete, and will be enhanced based on recommendation from other analysts and researchers.  There is also standing invite to all AntiVirus community researchers that do this for a living and have seen these techniques and tricks for years, yet have never had an effective way to communicate these traits in a standardized fashion.  Now here is your chance! 

Post a reply here if your interested in being on the board.

This is a test of a development prototype for the identification and submission of Malware DNA Traits into a centralized Knowledgebase.  This will be a collaborative industry effort.  The industry has recognized and validated the need for this.  There are several excellent groups that are adopting the concepts of malware DNA.  Here is a sampling.  The fact that pools of research money have been and are still being put into solving this problem, especially under DARPA, demonstrates how challenging a realization of this will be.

  • HBGary – feature in their Responder Pro – Live memory analysis toolset
  • Harris Corp. – - Digital Genome Sequencing Methodology
  • MITRE –
  • IEEE Standards Association – (blog post and )
  • Defense Advanced Research Projects Agency (DARPA) Strategic Projects Office – –

So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.

motorcycle-160

Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.

etbadge

HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.

dna2

I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

Follow

Get every new post delivered to your Inbox.