I was one of the guests at the recent Forensic Lunch discussion, led by David Cowen. Here’s the video recording of the conversation. I talked about how I found myself doing malware analysis and some of the challenges of migrating my malware lab to Windows 8.

Lenny Zeltser

Making Sure Your Security Advice and Decisions Are Relevant


Perhaps the most challenging and exciting aspect of information security is the need to account for business context when making decisions. One way to do this is to determine the unique strengths of the company—its competitive advantages—so you can frame risk conversations accordingly.

Economic Moats to Safeguard the Business

Gunnar Peterson discussed aspects of this concept using the notion of economic moats. According to Morningstar, an economic moat “refers to how likely a company is to keep competitors at bay for an extended period.” This term is similar to what others might call a sustainable competitive advantage. Just like a moat helps safeguard the castle from attackers, an economic moat contributes towards protecting the business from competitors.

Companies have different economic moats and those without a sustainable competitive advantage tend to stagnate. Gunnar outlined several types of moats highlighted by Morningstar, including: Low operational costs, intangible assets (strong brand, patents, etc.), high switching costs (customers tend to stay), etc.

Relate Security Risks to Economic Moats

What are your organization’s economic moats? If you don’t know what capabilities help the company protect or expand its market share, find out. This knowledge will help you make informed security decisions and will allow you to be a more persuasive participant in risk discussions. As Gunnar pointed out, “the two most important things in infosec are identifying what kind of moat your business has and then defending that moat.”

Information security professionals often complain that executives ignore their advice. There could be many reasons for this. One explanation might be that you are presenting your concerns or recommendations in the wrong business context. You’re more likely to be heard if you relate the risks to an economic moat relevant to your company.

A common approach to emphasizing the importance of information security is based on the notion that a data breach can tarnish the company’s brand. In many cases, the reality shows that the business doesn’t actually suffer in the long term, and in some cases the attention brought by the breach could actually help the company. However, even if the company might suffer in the short term, an argument based on brand tarnishing could fall on deaf ears if the organization doesn’t consider its brand a competitive advantage.

Security in Support of Sustainable Competitive Advantages

A company whose economic moat is its brand, will spend considerable efforts to protect its brand equity. For organizations like that, the brand-tarnishing argument might be effective and could be a good way to justify security funding. However, companies that have other moats, won’t care that much about safeguarding their brands.

For instance, consider a firm whose economic moat is tied to low costs due to its operational expertise and supplier relationships. A good context for making security decisions in this organization might be its efforts to protect proprietary details related to internal and supplier logistics. Threats to this moat will likely capture executives’ attention.

Another organization whose moat is its proprietary intellectual property will want to hear your thoughts on protecting such trade secrets. Alternatively, if a firm sees its time-to-market as a competitive advantage, it will want to know about the security risks that could slow it down and prevent the next timely release of its product.

An economic moat might protect the company from competitors, but it could be eroded by internal factors such as a security breach. Understand your company’s economic moats. Use them to frame security decisions and to ensure that your infosec advice are relevant to the company’s business objectives and strategies.

Lenny Zeltser

Malware: Whom or What Are We Fighting?

When characterizing ill-effects of malicious software, it’s too easy to focus on malware itself, forgetting that behind this tool are people that create, use and benefit from it. The best way to understand the threat of malware is to consider it within the larger ecosystem of computer fraud, espionage and other crime.

A Tip of a Spear

I define malware as code that is used to perform malicious actions. This implies that whether a program is malicious depends not so much on its capabilities but, instead, on how the attacker uses it.

Sometimes malware is compared to a tip of a spear—an analogy that rings true in many ways, because it reminds us that there is a person on the other end of the spear. This implies that information security professionals aren’t fighting malware per se. Instead, our efforts contribute towards defending against individuals, companies and countries that use malware to achieve their objectives.

Understanding the Context

Without the work of personnel that handles technical aspects of malware infections, the malware-empowered threat actors would be unencumbered. Yet, these tactical tasks need to be informed by a strategic perspective on the motivations and operations of the individuals that create, distribute and profit from malware.

To deal with malware-enabled threats, organizations should know how to detect, contain and eradicate infections, but we cannot stop there. We also need to also understand the larger context of the incident. We won’t be able to accomplish this until we can see beyond the malicious tools to understand the perspective of our adversaries. The who is no less important than the what.

Lenny Zeltser

Participating in the Eternal Cycle of Cybersecurity


When engaged in a fight, it’s natural to ask yourself whether you are winning or losing. However, in the context of cybersecurity, this question might not make sense, because it presupposes that the state of winning exists.

Maintaining the Equilibrium

Every day, new people and transactions appear online, making the digital world more attractive to criminals. Miscreants fund malicious software and attack operations, so they can achieve financial, political and other objectives. Security practitioners respond to evolving online threats; the attackers adjust their tactics, the defenders tweak their approaches, attackers regroup, and so on and so forth.

Defenders sometimes feel that the attackers are innovating at a pace that’s outpacing our ability to defend sensitive data and computer infrastructure. Such observations tend to be based on emotions and subjective observations and often lead to questions about which party is winning the fight. Defining our objectives in terms of winning or losing might not be practical.

The Eternal and Vicious Cycle

My perspective on the dynamics between cyber attackers and defenders aligns with the ecological metaphor that Lamont Wood described in an article Malware: War Without End. He referred to it as “an eternal cycle between prey and predator, and the goal is not victory but equilibrium.” It’s unlikely that this cycle will end and that either party will “win.”

When I spoke with Lamont, I suggested that attackers work to bypass our defenses and the defenders respond as part of the cycle. If attackers get in too easily, they are spending too much on their efforts. If we are blocking 100% of the attacks, we are probably spending too much on defense.

The digital ecosystem as a whole continues to thrive, because it benefits its legitimate users and criminals that act as parasites within the system. However, individual participants in this ecosystem could find themselves at a disadvantage and suffer losses. Being complacent is  risky for a given party, because it must constantly apply energy to maintain the equilibrium.

If our goal is to “win” the fight against cyber criminals, we don’t stand a chance, in part because there will always be more threats to combat. It might be more useful to define our objectives in terms of maintaining an equilibrium between the defenders and the attackers. This way, we can help our organizations excel in the contaminated world of the Internet.

Lenny Zeltser

Security Trends and Your Career Plans


The future of information security is intertwined with the evolution of IT at large and the associated business and consumer trends. It’s worth taking the time to understand these dynamics to define a path for your professional development. How is the industry evolving and what role will you play?

Key Security Trends

Rich Mogull’s write-up on infosec trends offers an excellent framework for peeking 7-10 years into the future. Rich highlights key factors related to: hypersegregation, operationalization of security, incident response, software-defined security, active defense and closing the action loop. Read his article to understand these trends, then come back to consider how they might affect and inform your career development plans.

I won’t get into every trend that Rich described, but I’d like to share my thoughts on how some of these factors offer professional development opportunities for information security and IT professionals. Operationalization of security might be a good place to start.

IT Operations Professionals

As Rich points out, today infosec personnel “still performs many rote tasks that don’t actually require security expertise.” He predicts that security teams will divest themselves “of many responsibilities for network security and monitoring, identity and access management,” etc.

If you’re an IT operations professional who has no interest in specializing in security, you can expand your expertise so that you can take on some of the tasks performed by security personnel today. This might be a natural expansion of what you’re doing already. Moreover, consider what skills you need to possess to automate as many of these responsibilities as possible, allowing your organization to lower costs and improve quality of IT operations and helping you maintain your own sanity.

Information Security Professionals

If you’re an infosec person looking to grow in this field, consider what responsibilities will remain with security professionals. A security person might lack some of the expertise of his operations-focused IT colleagues, but presumably he is better at understanding security. This includes the knowledge of attack and defense tactics, the dynamics of incident response, security architecture and patterns, etc. These are some of the areas where you should focus your professional development efforts.

How to design and validate security of a network where every node is segregated from each other? How to assist the organization in living through a security incident cycle that could span days, but sometimes spans years? How to oversee and validate safeguards when most aspects of the IT infrastructure and applications have been virtualized and could be accessed via an API? What deception tactics could be employed to deter, slow down and detect intruders?

These are some of the questions, grounded in Rich’s trends, that infosec professionals should be able to answer, as they consider how to best contribute to their organization’s success in the future.

Asking the Right Questions

Do your best to project the future of industry trends. Based on these, consider what questions an employer might need answered 3, 7, 10 years from now. You might not know the answers to these questions yet, but the questions can guide you in drafting a professional development plan that will be right for you.

Lenny Zeltser

How to Get a Windows XP Mode Virtual Machine on Windows 8.1

Despite its age, Windows XP is useful to have in your IT lab, for instance if you need to experiment with older software or study malware. Microsoft distributes a Windows XP virtual machine called Windows XP Mode, which you can download if you’re running Windows 7, as I explained earlier.

If you’re using Windows 8 or 8.1, you can still get the Windows XP virtual machine, but it requires a bit more work. The initial steps below are based on the instructions documented on the Redmond Pie blog.

First, download Windows XP Mode from Microsoft. You’ll need to go through the validation wizard to confirm you’re running a licensed copy of Windows. Though designed to look for Windows 7, it appears to accept Windows 8.1 as well. After the validation completes, you’ll able to download the Windows XP Mode installation file.


Once you’ve downloaded the Windows XP Mode installation file, don’t run it. Instead, explore its contents using a decompressing utility such as WinRAR or 7-Zip. Inside that file, go into the “sources” directory and extract the file called “xpm”.


The file “xpm” is another compressed archive, whose contents you can navigate using a tool such as 7-Zip. Extract from the “xpm” archive the file called “VirtualXPVHD” and rename it to something like “VirtualXP.vhd”.


This VHD file represents the virtual hard disk of the Windows XP system. You can use VirtualBox to create a virtual machine out of it. To do this, use the VirtualBox wizard for creating a new virtual machine and select “Use an existing virtual hard drive file” when prompted.

To create a VMware virtual machine out of the VHD file you’ll first need to convert it to the VMDK format, which VMware uses to represent virtual disks. The most convenient way to do this might be to use WinImage. If following this approach, select “Convert Virtual Hard Disk image…” from the Disk menu in WinImage, then select “Create Dynamically Expanding Virtual Hard Disk”. When prompted to save the file, select the VMware VMDK format and name the output file something like “VirtualXP.vmdk”.


Once the VMDK file has been saved, you can create a VMware virtual machine out of it by using VMware Workstation. Go to File > New Virtual Machine. Select “Custom (advanced)” when prompted for the configuration type. Accept defaults as you navigate through the wizard. When prompted to select a disk, select “Use an existing virtual disk” and point the tool to the VirtualXP.vmdk file.


Once the VMware virtual machine has been created, launch it, then go through the Windows XP setup wizard within the new virtual machine the same way you would do it for a regular Windows XP system. After Windows XP setup is done, install VMware tools into the Windows XP virtual machine you just created. Take a snapshot of your virtual machine, in case it breaks.


Windows XP installed into the virtual machine in that manner might need to be activated with Microsoft within 30 days of the installation. Be sure to understand and comply with the applicable software licensing agreements.

If this topic is interesting to you, take a look at my Reverse-Engineering Malware course. Other related items:

Lenny Zeltser

What to Do About Password-Sharing?


Sometimes people share passwords. This practice might stem from the lack of support for unique user account in some applications. Even more importantly, the reasons for password-sharing have to do with convenience and social norms. Technologists are starting to recognize the opportunity to account for these real-world practices in their products.

I detailed password-sharing practices in a post on the future of user account access sharing and presented several examples. I looked mostly at consumer and small business situations, not necessarily at heavily-controlled enterprise applications. For instance, adults frequently share logon credentials to their Netflix accounts among a small group of people. This saves on Netflix service fees.

Netflix seems to not only tolerate, but even encourage this practice. The service now supports multiple user profiles as part of a single account. One set of logon credentials is actually expected to be used by multiple individuals! A security purist would not approve. Yet, this product management decision recognized the lack of user’s interest in safeguarding their Netflix account from friends and family members.

Rather pretending that logon credential-sharing doesn’t exist, Netflix accepted that its users will share accounts and built the features its customers wanted. (The fact that any Netflix user profile can cancel the service helps constrain the potential size of the group who can access the account.)

For other examples, consider a small office environment within which individuals trust each other enough to share passwords to applications and websites used by the company, such as Pandora, UPS, Mailchimp, etc. Preaching to these people about the importance of individual logon credentials is usually a waste of time. This is why I hailed the emergence of password vault applications such as Mitro, which make it easier for individuals to share passwords while offering some security safeguards that don’t exist when using Post-it notes for this purpose.

Let’s project into the future a bit. According to danah boyd, teens often share passwords with friends as a sign of trust. This practice is akin to giving a person you trust the combination code to your school locker. Since teens will inevitably become adults, product managers and security architects will eventually have to account for such practices in their applications.

Customer-focused organizations will need to balance the desire to protect people from themselves with the need to give customers what they want. Some say that passwords will eventually go away and be replaced by biometrics and other technologies. Perhaps. In any case, people’s desire and sometimes legitimate need to share account access will persist. Security professionals and product managers will need to figure out how to provide such capabilities while accounting for meaningful risks.

Lenny Zeltser

Potential Security Applications of the iPhone 5S M7 Motion Coprocessor


In addition to the fingerprint scanner, there is another new hardware component in iPhone 5S that security-minded folks might get excited about. I’m referring to the M7 motion coprocessor. According to Apple, the chip continuously measures motion data “from the accelerometer, gyroscope and compass to offload work” from the main processor. Here’s why this is interesting.

Although M7 is being positioned as an enabler for enhanced fitness apps, there might be interesting security applications for the precision and energy-efficiency capabilities of the coprocessor. For instance, consider the possibility for continuous and seamless user authentication. As I proposed earlier:

Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person’s identity.

An app utilizing M7 could help Identify the unique walking pattern of the phone’s user. This authentication approach is described in a paper titled Pace Independent Human Identification Using Cell Phone Accelerometer Dynamics. Perhaps without M7, this methodology would have been impractical due to the battery drain and the lack of accurate measurements.

Another example of an authentication approach that could make use of the phone’s motion sensors is exhibited by SilentSense, which tracks “the unique patterns of pressure, duration and fingertip size and position” exhibited by the phone’s user. The goal of this technology is to spot when the phone is being used by an unexpected person.

As nice as the iPhone 5S fingerprint reader is, authenticating users through walking patterns could be event more user-friendly and offer unique benefits of continuous validation that one-time authentication doesn’t provide. (BTW, the new Moto X phone dedicates a hardware component to “context-sensing,” which seems to support motion-awareness functions.)

While Apple isn’t planning to grant app developers access to the fingerprint reader (a.k.a. “Touch ID sensor”) according to AllThingsD, access to M7 will be available using the expanded Core Motion API. This would allow third-party developers to come up with innovative ways of utilizing M7 motion coprocessor capabilities that go beyond fitness-related applications, assuming Apple’s App Store guidelines will allow this.

Who knows, perhaps your favorite phone security app might soon issue an alert if it detects that an impostor is carrying your phone, giving you an opportunity to wipe the device or take other corrective action. Just an idea.

Lenny Zeltser

Teaching Malware Analysis and the Expanding Corpus of Knowledge


Over the years, the set of skills needed to analyze malware has been expanding. After all, software is becoming more sophisticated and powerful, regardless whether it is being used for benign or malicious purposes. The expertise needed to understand malicious programs has been growing in complexity to keep up with the threats.

My perspective on this progression is based on the reverse-engineering malware course I’ve been teaching at SANS Institute. Allow me to indulge in a brief retrospective on this course, which I launched over a decade ago and which was recently expanded.

Starting to Teach Malware Analysis

My first presentation on the topic of malware analysis was at the SANSFIRE conference in 2001 in Washington, DC, I think. That was one of my first professional speaking gigs. SANS was willing to give me a shot, thanks to Stephen Northcutt, but I wasn’t yet a part of the faculty. My 2.5-hour session promised to:

Discuss “tools and techniques useful for understanding inner workings of malware such as viruses, worms, and trojans. We describe an approach to setting up inexpensive and flexible lab environment using virtual workstation software such as VMWare, and demonstrate the process of reverse engineering a trojan using a range of system monitoring tools in conjunction with a disassembler and a debugger.”

I had 96 slides. Malware analysis knowledge wasn’t yet prevalent in the general community outside of antivirus companies, which were keeping their expertise close to the chest. Fortunately, there was only so much one needed to know to analyze mainstream samples of the day.

Worried that evening session attendees would have a hard time staying alert after a day’s full of classes, I handed out chocolate-covered coffee beans, which I got from McNulty’s shop in New York.

Expanding the Reverse-Engineering Course

A year later, I expanded the course to two evening sessions. It included 198 slides and hands-on labs. I was on the SANS faculty list! Slava Frid, who helped me with disassembly, was the TA. My lab included Windows NT and 2000 virtual machines. Some students had Windows 98 and ME. SoftICE was my favorite debugger. My concluding slide said:

  • Too many variables to research without assistance
  • Ask colleagues, search Web sites, mailing lists, virus databases
  • Share your findings via personal Web sites, incidents and malware mailing lists

That advice applies today, though one of the wonderful changes in the community from those days is a much larger set of forums and blogs focused on malware analysis techniques.

By 2004, the course was two-days long and covered additional reversing approaches and browser malware. In 2008 it expanded to four days, with Mike Murr contributing materials that dove into code-level analysis of compiled executables. Pedro Bueno, Jim Shewmaker and Bojan Zdrnja shared their insights on packers and obfuscators.

In 2010, the course expanded to 5 days, incorporating contributions by Jim Clausing and Bojan Zdrnja. The new materials covered malicious document analysis and memory forensics. I released the first version of REMnux, a Linux distro for assisting malware analysts with reverse-engineering malicious software.

Around that time the course was officially categorized as a forensics discipline by SANS and was brought into the organization’s computer forensics curriculum thanks to the efforts of Rob Lee.

Recent Course Expansion: Malware Analysis Tournament

The most recent development related to the course is the expansion from five to six days. Thanks to the efforts of Jake Williams, the students are now able to reinforce what they’ve learned and fine-tune their skills by spending a day solving practical capture-the-flag challenges. The challenges are built using the NetWars tournament platform. It’s a fun game. For more about this expansion, see Jake’s blog and tune into his recorded webcast for a sneak peek at the challenges.

It’s exciting to see the community of malware analysts increase as the corpus of our knowledge on this topic continues to expand. Thanks to all the individuals who have helped me grow as a part of this field and to everyone who takes the time to share their expertise with the community. There’s always more for us to learn, so keep at it.

Lenny Zeltser