Defeating Malware With Its Own DNA

It’s widely known that human DNA evidence has had a major impact in the criminal justice system. Now another kind of DNA may have a similar impact in the fight to eradicate malicious software.

Malware DNA, also known as “malware provenance,” is the art and science of attributing elements of one object to another object. The technique has applications outside information security — for example, in genetics, or to test the authorship of student papers.

One way malware writers avoid detection of their programs is to craft polymorphic attacks. They dynamically change the code in their malware just enough to confound antivirus programs. Provenance counters that technique by identifying the amount of similar code in a program, or its “DNA.”

Every malware variant has an immutable part derived from its predecessors all the way back to its original malware family. For example, CryptoWall 3.0 shares the same genome with CryptoWall and the previous CryptoDefense.

The technique is not only very accurate, but also very fast. It can identify malware at machine language speeds and even detect zero day malware — that is, previously unseen malicious programs.

Stacks of Band-Aids

Up to now, malware fighters have been struggling to stem the tide of malware crashing over their systems, notedIgor Volovich, CEO of Romad Cyber Systems.

“We’ve got stacks of Band-Aids,” he told TechNewsWorld. “We keep adding more and more bandages, and we stop the bleeding for a while, but we never really fix the root cause.”

The information security for years has focused on preventing infections, but that’s proving to be inadequate in today’s threat landscape.

“We’ve got to respond,” Volovich said. “That’s why now you see things like threat hunting, trying to decrease the dwell time an attacker spends inside your network from the current average of 266 days to a few days or hours.”

The next evolution in cyberdefense will be to disrupt an attacker’s ability to do what they do and do it at scale, globally and consistently, he explained. “Unfortunately, none of the solutions that have been offered by the industry over all these years have been able to do that in any meaningful way.”

Security Silos

Indeed, HPE found that one of the key factors impeding security adoption in DevOps is insulation of security from the process.

“While people believe that security should be embedded, they’re really not bringing security people into the conversation when they’re talking about software development,” Bledsoe said. “It’s oftentimes an afterthought.”

That was evident in the HPE report’s findings. When organizations using DevOps were asked how they were protecting applications, the overwhelming majority cited security practices and controls downstream in the development process — practices like penetration testing and network security.

What’s more, nearly one in five of the outfits (17 percent) admitted they’re not using any technologies to protect their apps.

Security Engineer’s Worse Nightmare

The problem is not just that security teams are screened from the development cycle, but also that development teams are screened from the security process.

“There’s no feedback loop. If something major is found, an email blast goes out to a bunch of people and everyone starts running around and yelling the house is on fire,” Bledsoe said.

“The majority of the time, nothing actually happens,” she continued. “They rely on network or perimeter security instead of patching. That’s why, without proper planning, DevOps can be a security engineer’s worse nightmare.”

Breach Diary

  • Oct. 31. Attorney General of Washington reports that from July 2015 to July 2016 39 data breaches in the state affected some 450,000 people.
  • Oct. 31. U.S. Office of Personnel Management announces it is changing its credit monitoring and identity protection service provider, and that some of the 25 million people affected by a data breach at the agency will have to re-enroll to continue coverage.
  • Oct. 31. Shadow Brokers hacker group releases data dump, allegedly from computer servers around the world that were compromised by The Equation Group, which is believed to be linked to the NSA.
  • Nov. 1. Microsoft announces Nov. 8 as date it will push patch to address a vulnerability that affects versions of Windows below Windows 10, which Google announced while it was being exploited in the wild.
  • Nov. 1. Fortinet warns Android users of new banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland and Austria. The malware can steal credentials from 94 different mobile banking apps and defeats two-factor authentication by intercepting text messages.
  • Nov. 1. Terbium Labs releases report finding that 55 percent of the content on the Dark Web is legal.
  • Nov. 1. LastPass, a popular password manager, announces its users can access the program on any device for free.
  • Nov. 2. U.S. District Judge Rosemary Collyer dismisses class action lawsuit stemming from 2015 data breach at the IRS in which the personal and financial information of 330,000 taxpayers and their family members was compromised by hackers who infiltrated the now defunct “Get Transcript” service, which allowed taxpayers to access their tax filings online.
  • Nov. 2. Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, a committee of European data protection authorities, sends letter to Yahoo requesting more details on theft of data on 500 million Yahoo users.
  • Nov. 2. Northern Lincolnshire and Goole NHS Foundation Trust in the UK cancels all planned operations and diverts major trauma cases to neighboring facilties after shutting down all its computer systems due to a computer virus infection.
  • Nov. 2. CEB releases report finding 90 percent of employees violate policies designed to prevent data breaches.
  • Nov. 2. U.S. Federal Trade Commission releases 16-page guide on steps that businesses should take once a data breach has occurred.
  • Nov. 2. Business Insider announces its website was compromised by OurMine, a group that hacks websites to expose security flaws.
  • Nov. 3. New Zealand Nurses Organization announces “tens of thousands” of its members’ contact details were emailed to someone posing as the chief executive of the organization.
  • Nov. 4. Cisco warns users of its Professional Careers mobile site that their personal information was exposed on the Internet due to a misconfiguration error at the site.
  • Nov. 4. Greenville Online reports personal information of some 2,500 cardiology patients at Carolina Cardiology Consultants of North Carolina placed at risk after it was inappropriately downloaded by an employee of a third-party contractor.
  • Nov. 4. Zion Research releases market forecast for encryption software predicting growth to $7.17 billion in 2021 from $2.20 billion in 2015, with a compound average growth rate of 21.7 percent between 2016 and 2021.

Eradicating Malware

That can change with the use of provenance. With it, even zero day malware — malware previously unseen by security researchers — can be stopped in its tracks.

“In reality, all zero day malware is a variance of previously seen malware,” said Arun Lakhotia, a professor of computer science at the University of Louisiana at Lafayette.

“They’re mostly not new malware code — they’re mostly variations of previous malware,” he told TechNewsWorld. “Writing new software takes up time and money so malware authors don’t write new software every day, so most malware is a variant of a previous version.”

That’s where genetics enters the picture. Each variant is like the child of a parent. Just as paternity can be identified with biological DNA, so can malware paternity be identified with coding DNA.

Because it’s expensive to write new malware code, provenance can hurt criminals where it hurts the most — the wallet — because they won’t be able to reuse their malicious code so freely.

“If we can disrupt what they’re doing through economic means without having to throw them in jail, we can eradicate malware as we know it,” Volovich said.

DevOps Security Shortcomings

DevOps is a means for delivering applications faster. It also has the potential to create more secure apps, although a recent study by Hewlett Packard Enterprise Security found organizations are far from tapping into that potential at the moment.

Everybody believes that security should be an integral part of DevOps and that their DevOps transformations actually will make them more secure, notes the study. However, very few DevOps programs actually have included security as part of the process, since it’s a much lower priority than speed and innovation.

“The reality is that there isn’t a lot of security happening within DevOps,” said Maria Bledsoe, director of product marketing at HPE Security.

“While 99 percent of people believe DevOps is a security opportunity, only about 20 percent actually use application security within DevOps,” she told TechNewsWorld.

If that situation persists, the study warns, conditions could worsen in DevOps environments, because silos still exist between development and security.

Upcoming Security Events

  • Nov. 12. B-Sides Jackson. Old Capitol Museum, 100 South State St., Jackson, Mississippi. Free.
  • Nov. 12. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta, Georgia. Free.
  • Nov. 12. B-Sides Boise. Trailhead, 500 S. 8th St., Boise, Idaho. Cost: $10.
  • Nov. 12. B-Sides Charleston. Beatty Center, College of Charleston, Charleston, South Carolina. Free.
  • Nov. 15. Wrangling Unicorns — A Skills Shortage Survival Guide. 10 a.m. ET. Webinar by Acumin Consulting. Free with registration.
  • Nov. 23. Security: Enabling the Digital Revolution Without Disruption. 10 a.m. ET. Webinar by Alert Logic and Rackspace.
  • Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295; Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.
  • Nov. 29-Dec. 1. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd., South Las Vegas, Nev. Registration: $2,850; public sector, $2,350.
  • Nov. 30. How is Data Analytics Reducing Payments Fraud? 10 a.m. ET. Webinar by BrightTALK and Fiserv. Free with registration.
  • Dec. 2-3. B-Sides Phliadelphia. Drexel University, 3141 Chestnut St., Philadelphia, Pennsylvania. Free.
  • Dec. 6. The 2017 Threatscape. 9 a.m. ET. Webinar by ISF Ltd. Free with registration.
  • Dec. 6. Storm on the Horizon — 2017 Threats Both Foreign and Familiar. 2 p.m. Webinar by OCD Tech. Free with registration.
  • Dec. 7. Insider Threats and Critical Infrastructure: Vulnerabilities and Protections. 10 a.m. ET. Webinar by @LKCyber. Free with registration.
  • Dec. 7. Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing. Webinar by ZeroFOX. Free with registration.
  • Dec. 7. Quantum Threats: The Next Undefended Frontier of Cybersecurity. 1 p.m. ET. Webinar by Isara Corporation. Free with registration.
  • Dec. 7. Trends in Email Fraud, and How to Prevent Enterprise-Facing Email Attacks. 2 p.m. ET. Webinar by Agari. Free with registration.
  • Dec. 8. Cybersecurity Trends — Security Analytics Is the Game Changer. 1 p.m. ET. Webinar by Interset. Free with registration.
  • Dec. 8. I Heart Security: Developing Enterprise Security Programs for Millennials. 5 p.m. ET. Webinar by NCC Group. Free with registration.
  • Dec. 12. How Cybersecurity, Technology and Risk Is Maturing the Role of the Modern CISO. 5 p.m. ET. Webinar by City of San Diego, Calif. Free with registration.
  • Dec. 13. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.