06.04.2010

Today’s blog post has been kicking around in the recesses of my mind for a while.  I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice.  It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have.   Customized, designer malware.   Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others.   Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore.   When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic.  It’s a simple value proposition for the attacker:

  1. Study your target(s)
  2. Collect and qualify intelligence while making discretionary decisions on what to discard or retain
  3. Study and evaluate targets of opportunity – technical and non-technical
  4. Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
  5. Engage and begin insertion within the target environment
  6. Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
  7. Assess opportunity cost
  8. Engage in compromise
  9. Secure targeted object of mission

10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)

11. Secure the target

12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question

Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious.  Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.

As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist.  In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.

So how do we begin fighting these threats?  We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance.   Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented.  Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware.   I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges.   These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish).  Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.

Tags: , , Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Information Security Philosophy, Malicious Code, Malicious Content, Subversive Multi-Vector Threats (SMTs), Trojans 

Comments

Leave a Reply