In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:
Also, on my own blog I took a look at Cylance’s Accelerify tool for speeding up the lab system’s clock for malware analysis.
Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.
Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:
It’s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as what Mandiant has been publishing, from generic APT-themed sales collateral peppered throughout the web.
Based on public information and observations, I suspect the threat landscape over the next few years will involve:
These are just conjectures. I don’t have the answers to the questions I posed above; however, I thought I’d at least ask them and explore the idea of looking at early APT targets’ current state to anticipate advanced threats that will later affect other organizations.
Related articles you might like:
[video]
In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date.
Upcoming live malware forensics webcasts:
Previously-recorded malware forensics webcasts:
I’m pleased to announce the release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro.
What’s new in REMnux v4? See the details below and register for a free webcast where I will showcase some of the key additions. You can download the latest release at REMnux.org.
What’s New in REMnux v4
REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.
Key updates to existing tools and components:
New tools added to REMnux:
Getting Started With REMnux
The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.
The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis. I also recorded a webcast to discuss What’s New in REMnux v4 for Malware Analysis and to demonstrate the new tools.
If you find REMnux useful, take a look at the reverse-engineering malware course that my colleagues and I teach at SANS. It makes use of REMnux and various other tools.
If you haven’t already, download the REMnux distro at REMnux.org.
For tips, issues and workarounds related to installing REMnux v4, see REMnux Version 4 Installation Notes.
Apple’s introduction of two-step verification for Apple IDs is consistent with the trend in the industry to strengthen user authentication practices. Facebook has been experimenting with one-time passwords and social CAPTCHA authentication; Google began offering 2-step verification a while back. It’s great to see Apple get onto this bus.
Apple explains that “two-step verification is an optional security feature for your Apple ID.” To activate it, sign into My Apple ID on Apple’s website and go to the Password and Security area. You will then have the ability to specify which “trusted devices” associated with your Apple ID you wish to use as the second authentication token.
When designating a trusted device, such as an iPhone or an iPad, Apple will send a 4-digit verification code, which will pop up on the device almost instantaneously. You’ll need to enter the code on Apple’s website to confirm that you’re in the possession of the device.
Once you’ve enabled two-step verification, you’ll need to verify that you still have the device whenever you login to the My Apple ID website, when you “make an iTunes, App Store, or iBookstore purchase from a new device” or when you attempt to “get Apple ID-related support from Apple.”
For example, after signing into the My Apple ID website with your username and password, you’ll be presented with the prompt to “verify your identity” using one of the enrolled devices.
A pop-up like this will appear on the designated trusted device:
If your device is locked when the code is delivered, you will need to unlock it before seeing the code. The overall experience is a bit more streamlined than what Google uses, because Google requires the user to install and the activate the Google Authenticator app on the mobile device.
Receiving the code requires an active data connection. If you are using an iPhone, don’t have data but are able to receive SMS, Apple can send a verification code to your a verified phone via SMS. To take advantage of this feature, you need to verify the phone number through the My Apple ID website.
When activating the two-step verification option, Apple automatically generates a Recovery Key, which can be used as an authentication token if you lose access to a trusted device:
Google, Apple and to some extent Facebook now give users the option of strengthening their account authentication process. It’s only a matter of time before other industry giants, such as Twitter, jump in. Perhaps stronger authentication becomes the norm, we might see some innovation in making it more reliable and convenient for end-users.
The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.
Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.
Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.
That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves know how to reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”
IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.
To learn how to define and make use of IOCs, take a look at:
Update: This position has been filled.
I’m looking for a software engineering manager to join my team at NCR in Dallas, TX. The person leads the efforts to develop and maintain software that addresses our customers’ information technology needs. To accomplish this, the manager motivates team members and oversees their activities in the context of Agile-inspired development practices.
Some of the required skills and proficiency levels include:
Are you such a person or do you know someone like this?
[video]
Think you know malware? I created a new fun quiz to see whether you can recognize the 10 malware specimens you should probably know by name. Test your knowledge and learn something along the way.
Take the 10-question Name That Malware! quiz.
If you like this approach to learning, here are two more quizzes I put together:
— Lenny Zeltser