OK, so your saying the guy that is now in charge of protecting us from cyberbadness is saying <QUOTE> ” .”  </QUOTE>

It’s usually poor taste to cuss in what should be a professional forum but….

ARE YOU FUCKING SHITTING ME?!

Someone brief this guy up or get him off the stage..

If I could put the digital threats our country faces into a single simple pictorial message it would be this.  Here is the threat we face….

and here is you, the cyber defender.  NOTE/HINT: You’re somewhere in the middle there.

We are getting our LUNCH eaten.  If Google going full disclosure didnt wake anyone up then they really don’t realize what they are dealin with. 

They get in, they entrench and you dont get them out.    However I have the solution:

  • CIO’s are utterly ineffectual in impacting the security of our Government systems and data.  No Power to FIRE, Slash budgets or hold people accountable for abysmal security postures.  – No accountability. – Emphasize RESULTS
  • Put somone in charge, empower them and get the hell out of the way.
  • Communicate to hostile actors there is a cost to their actions, ensure they pay it.
  • - Reference Siberian Pipeline Explosion.
  • Launch unattributable Rear Guard attacks. (Wage counter asymmetric warefare) Tie their resources up with resource draining attacks in their rear echelons.
  • Implement a friends and family cyber-beatdown plan.  -in response to vociferous Foreign Minister denials.  I don’t care if you say you didnt do it, Im still holding your ass responsible.

I have an idea.  We should just bill them licensing fees for all the crap they have stolen.  Anyone got the number for the WTO?  I would call them on my nifty VOIP line but some guy answered in Mandarin.

With the rise of a forensic response to malware intrusion you would think that malware would be smart enough to actually attempt to clean up its tracks by implementing secure deletion methods.  These would include Secure deletion off the disk so as to foil file recovery via forensic means by using tried and true secure deletion tools such as are used to wipe a drive of classified materials.  Microsoft SysInternals sdelete.exe and a zillion other tools are freely available for for whatever reason have not been incorporated into attack methods.  I have been wondering this absence for awhile now in malware.  It will only be a matter of time.  While Metasploit has pioneered a number of anti-forensics methods not one has delved into the secure erasure of malware footprints so as to render forensic response by products such as Guidance Software Encase moot. 

Additionally advanced methods to obfuscate in memory and secure deletion or overwriting of critical data in memory would be needed to foil the growing rise of live memory forensics which many organizations still cant seem to wrap their heads around to use operationally.  HBGary is an awesome tool for live memory forensics as well as Mandiant and the Volitility Framework.

This thread might be controversial but I must assume that things will progress that way anyways.  This has to do with advanced evolution of digital threats.  A very very large majority of malware is very noisy on the wire.  The fact that bots especially conduct callbacks to their Command and Control systems in the first place on a regular basis, HELLO, IM HERE, HELLO, IM HERE, YO! IM HERE is on its face completely rediculous.  If organizations can’t get their collective asses in gear to remediate their networks when malware is screaming out every minute to malicious IPs then someone needs a good career spanking. 

Awesome products like and which focus their attention on the real problems of botnets instead of larger AV Companies that just sit back and soak up your IT budget are going to be the change changers here and eventually drive botnet evolution in a new direction, Ironically rendering their products useless.  Thats the main problem with solving problems comprehensively – it kills your business plan. 

Heres a thought.  Instead of spending a billion dollars and 3 years to rev out the next version of , shim into the security stack FIREEYE/DAMBALLA with custom sigs.  For those that don’t know or havent been reading the press Einstein is DHS’s hope/vision for a big old digital condom from all that nasti hackiness thats been eroding our countries competitive edge for o say like 10 years.  Better hurry up guys, we probably on have about 5 years of Research and Development left to lose before we are facing adversaries that are technologically advanced as us.  And o ya 4 times the population.  There wont be much need for us in the future.

Thus leads to the controverisal piece.    MALWARE EVOLUTION #1  HUNTER/KILLER

Evolution of autonomous malware with preprogrammed directives.  Malware is just code, code is the digital representation of logical directives.  Directives are a language construct of what fleshbots want or need.  Namely us.  It has suprised me for some time that much of the malware requires a series of manual control command sets to do its job.  Cant you just go tell a piece of malware “look man, do this, this this, and uh if you see this piece of information or event do this”  These type of autonomus functional intelligence is what I would have expected from some of the prevalent threats today.   One of the theories behind the lack of sophistication in malware is the Lowest SHIT that works theory.  Namely if it works, why expend resources to advance the art.  While they may be right it certain keeps things boring on the technical malware analysis side.  Implementing a level or sentient intelligence based on certain low level information primitives would not be too hard of a research and development project.  The goal being to implement a handful of the tools of cyberwar, but have them automonously conducted with the goals of taking the operator out of the loop, and meeting certain operational criteria.  This way no Beacon beaconing like a goddam rooster and actually forcing the industry to start looking at the root of the problem which is the host and its built in internals and functions which enable all this crap in the first place. 

I will probably expand on this concept further later but from a defense side it seems that having your shit beacon, and requiring an operator to do basic shit all the time is just plain stupid.  Fire and forget malware bombs that can steal shit, and then encrypt it and blast it once with a special signature as a digital blob onto a Peer to Peer network  or to 500 places at once on the Internet for pickup would make things alot more interesting.

Well thats it, Cats out of the bag. Lets see what happens. 

-disclaimer  This blog was designed to explore futuristic concepts and memes of cyberwar and all their implications.  This is a conceptual thought exercise only, Not an endorsement.

So It looks like Team Cymru implemented my Gamechanger #1 idea to solve the notification challenges…

 

The BIN (Bank Identification Number) Feed comprises a near-real-time list of bank accounts and credit cards that have been identified by Team Cymru as potentially compromised. This data comes from Team Cymru’s unique insight into the Underground Economy. This service is provided to verified financial institutions at no cost to them.

The BIN Feed is provided through a secure web portal to vetted and verified financial institutions only. Data is carefully isolated, so that each financial institution can only view data on their own customers’ potentially compromised accounts. Representatives of financial institutions may contact the Team Cymru Outreach Team at with details of their BIN/IIN numbers to request access to this data. Please provide details of your institutional affiliation and allow time for us to verify and validate your request.

I am going to have to give this the whole 2 DIGITS up.

One of the things sorely lacking in the industry is a reliable standardized index for the weaponization rating of malware.  Security vendors are typically overwhelmed/AndOr to Lazy to do this in a capitalistic bubble they call their business plan.  Malware analysts such as myself have seen this obvious need for a while now.  This Rating system applies to Pardon the hype buzz wordz but APT, targeted attacks, advanced obfuscation and protection tools, and cybercrime banking malware alike.  In the end they all ‘mostly’ implement into their design some type of hopefully advanced mechanisms to either circumvent host hardening, exploit prevention mechanisms, network detection and host detection.  They also implement highly advanced anti-analysis and obfuscation – armoring techniques.  This list goes on and on.  However  there is no standard for this and not much debate so I am proposing the following. 

WEAPONIZATION INDEX Scoring System for Malware

A Malware Weaponization Index is calculated to indicate the level of sophistication and advanced techniques leveraged to avoid detection, achieve persistence, maintain survivalbility, and prevent remediation along with an assessment on the precisness of organizational and informational targeting, and the sophistication of its propogation and exploitation vectors such as code exploiting 0-day vulnerabilities. This will help in supporting Triage Operations for analysis such as dealing with APT, highly customized code, or advanced botnets.

Each of these categories is given a weighted rating culminating in an overall score.  As techniques become more mainstream and commonplace, or out of date they drop off the scale and new techniques are added. 

  • Percentage of custom developed code versus code reuse
  • Number of exploitable vulnerabilities in the malcode
  • Number of software development flaws
  • Percentage optimized to inefficient code
  • Use of advanced rootkit techniques, Direct Kernel Object Modification DKOM, malicious hypervisors
  • Encryption robustness evaluation (XOR versus AES, RC5, Public/Private key)
  • Usage of code integrity checking
  • Awareness of operation in virtualized or sandbox environments
  • Implementation of attacks against custom or little used software
  • Implementation of highly advanced anti-debugging techniques
  • Custom targeting of narrowly focused data sets (automatic searching for critical keyword based content)
  • Implementation custom code packing techniques
  • Implementation of virtualized packers
  • Awareness of hypervisor monitoring
  • Malware that runs completely from memory
  • Malware that is designed to foil memory forensics
  • Malware that protects its critical data such as encryption keys in memory
  • Malware implements destructive or highly disruptive capabilities
  • Malware that armors itself against inspection and hooking techniques
  • Malware that utilizes secure deletion techniques to foil disk based forensics
  • Malware that runs in the kernel using little know native functions
  • Malware that uses unique and innovative persistence techniques
  • Malware developed in languages not commonly used
  • Level of sophistication in metamorphic and polymorphic techniques
  • Level of detection based on AV scanning
  • Any hardware based embedded attacks such as Cisco routers, wireless infrastructure
  • Any exploits against real time operating systems, or weapons platforms

So the tranference of data into information, and information into knowledge that operational people can use to better defend and respond to malware is critical.  Assuming that the concept of a centralized Malware DNA database can get off the ground, and we dont have 50 different competing versions, the next logical step is crafting an operational Vision to unify the concept and actually make it useful. 

Here is an overview of one such method.

The Crucial “Digital Genome Sequencing Methodology” advances the established highly technical field of malware analysis by revolutionizing the current operational methods for communicating, collaborating, and sharing critical intelligence about malicious code. This new communications model is comprised of the following key components:

  • A Digital Genome Sequence data representation standard collaboratively established through an expert network of malicious code analysts and implemented as a unique binary bitstream for the description of malware along with its hash and fuzzy hash signatures.
  • A knowledge base repository of malware DNA traits comprising characteristics and functions. Characteristics are what the malware looks like, functions represent the potentially hostile effects that can impact operations.
  • An XML Malware DNA Trait data schema to parse the malware bitstream and represent it to applications for operational use. This schema will translate the bitstream into technical intelligence by presenting detailed information about each trait.
  • A distributed Malware Intelligence Fusion Dashboard application implements the XML schema and communicates the analytical information to the operator as an intelligence dossier about the malware sample.
  • A Malware Analyst Workbench component within the dashboard will allow analysts to retrieve a malware sample during analysis and author the digital genome sequence data by selecting DNA traits as they are discovered allowing for constant sample refinement in collaboration with other analysts who can securely discuss the markup process.
  • The Malware Dossier is constructed of DNA traits fused together with previously derived cyber-intelligence related to that sample and delivered as analytical product for total situational awareness.
  • An Operational Impact Score is generated for the cyber-operator based on a weighted scoring algorithm that evaluates the likelihood of code being malicious based on its characteristics, functions, and historical cyber-intelligence compared to its delivery vector and operational targeting of critical assets, organizations, data, or operations.

This “Offense informs Defense” approach allows for commanders to effectively plan for agile cyber-defense and conduct precise cyber-targeting in support of counter-force and counter-intelligence actions.

The collaborative approach to analysis and communication of malware DNA traits is the only realistic and scalable solution to a critical national security problem that threatens to blunt the ability to protect national interests and erosion of the scientific and technological advantage gained through expensive research and development.

Any knowledgebase is only as good as the collaborative work that is entered into it by the hardworking and pioneering analysts that currently research new malware tactics, techniques, and procedures.  I will be issuing this invitation to reversers and analysts that I have respected and read about while doing my research.  It is my hope that a small portion of these researchers will accept this role and help guide the open source generation of the worlds largest malware DNA knowledge base.

Here is the list in no particular order: 

  • Phil Wallisch – HBGary
  • Lorenzo Kucaric – Crucial Security
  • Michael Troutman – Crucial Security
  • Nick Harbor – Mandiant
  • Jorge Mieres
  • Tom Liston
  • Giuseppe Bonfa (Evil Cry)
  • Frank Boldewin
  • Alex Lanstein – Fireeye
  • Atif Mushtaq – Fireeye
  • Julia Wolf – Fireeye
  • Dider Stevens
  • Paul Royal
  • Danny Quist – Offensive Computing
  • Marco Cova
  • Ero Carrera
  • Joe Stewart – SecureWorks
  • Anushree Reddy
  • Dancho Danchev
  • Peter Kleissner
  • Ivan Kirillov – MITRE MAEC
  • Dr. Michael VanPutte – DARPA Cyber Genome

This list is not complete, and will be enhanced based on recommendation from other analysts and researchers.  There is also standing invite to all AntiVirus community researchers that do this for a living and have seen these techniques and tricks for years, yet have never had an effective way to communicate these traits in a standardized fashion.  Now here is your chance! 

Post a reply here if your interested in being on the board.

This is a test of a development prototype for the identification and submission of Malware DNA Traits into a centralized Knowledgebase.  This will be a collaborative industry effort.  The industry has recognized and validated the need for this.  There are several excellent groups that are adopting the concepts of malware DNA.  Here is a sampling.  The fact that pools of research money have been and are still being put into solving this problem, especially under DARPA, demonstrates how challenging a realization of this will be.

  • HBGary – feature in their Responder Pro – Live memory analysis toolset
  • Harris Corp. – - Digital Genome Sequencing Methodology
  • MITRE –
  • IEEE Standards Association – (blog post and )
  • Defense Advanced Research Projects Agency (DARPA) Strategic Projects Office – –

So I originally came up with this Idea for Counterterrorism a while ago and have modified it for Cyberwar conflict.  It goes like this.  Why are’nt more terrorists Killed on a daily basis by powers that can do it and have the will?  For the completely countervailing reason that usually trumps Direct Action.  Intelligence gathering. Plain and Simple.  INTs collection is used on a world wide basis to target actors.  However, Pre 9/11 completely showed a lack of will and balls to actually take care of problems for completely bullshit reasons.    Lawyers, human rights blah blah. Bureaucracy.  Apethy and pragmatic thought.

sea-storm-clouds

My solution for terrorists was this.  You all the INT collection you want.  But 1 [ONE] DAY EVERY YEAR you have a what I will term a BLACK NOVEMBER. What is it do you ask.  Its a kill pulse.  all the intelligence derived and gathered and fused and generated during the year gets put into a master target list.  And direct action takes place Syncronized.   This will have the immediate effect of Dramatically draining the SWAMP immediately, eliminating alot of the BS INTEL noise you get in collection efforts and clear the way for a new round of intel gathering, new link analysis and Intel collection.

Direct action will be expendable, and non-attributable and revolve around “accidents or otherwise mundane unfortunate circumstances”  Better not to attack that much attention unless thats what you want to go for.

I then evolved this concept to Terrorist electronic communication forums which present the inherent evil in allowed for dispursement of terrorist ideaology, plans, TTPs and other Terrorist crap.  So the BLACK NOVEMBER would essentially over time corrupt any backups of data that was being made, then target and destroy, Crypto attack or secure delete all world wide terrorist extremeist forums and other info material that is in direct control of mal actors.

One, this highly disruptive attack would sow CHAOS into the ranks, break communication mechanisms, force the reestablishment of new networks and comms that can be rapidly identified and tracked to be put into the next yearly Purge cycle for cyberwipe.

So after this I come to my 3rd evolution of BLACK NOVEMBER.  That is doing the same thing but targeting the numerous cybercrime forums, tool factories, egosites, and Botnet command and control sites that exist throughout the Internet. [NOTE: IF IT WASN'T ALREADY OBVIOUS. you do this Non-attributable, preferably geographically spread across the Internet IP space and Geographies, you also use massive variation in code, techniques, and character sets and styles.  Unless of course you don't care about attribution for the shock factor]

This can be a massive sweep or it could be a certain number of high threat target sets.  Either way, this pulse of cyberpurging would ENSURE ONE THING. That there are no excuses, no compromises, and real,…REAL action taken against at least the Technical mal-infrastructure that pervades the net and sucks like a vampire of our National Security and Economic Security.

I will be the first to say that I dont think our authorities have the will, vision, foresight, or balls to ever consider any of these actions.  However I will say this.  I am laying out there as a though meme, a destabilizing concept that needs to be expanded and discussed and further investigated….
SO WHAT…. DO YOU HAVE A BETTER SOLUTION?  If so fire away propose one.  And don’t rehash any of the ideas that have been bandied about for years.  Come up with something original.

Yes folks, we need a Phoenix Program for Cyber.  That’s what I’m saying.

Follow

Get every new post delivered to your Inbox.