You’ve seen it in a dozen movies: a character commits a crime, is ID’ed on security camera footage, then dyes her hair to alter her appearance in hopes of evading capture. The m.o. is the same for polymorphic malware—malicious software that’s constantly evolving or changing in order to evade signature detection or blacklisting solutions. Although it’s not a new addition to the hacker’s arsenal, the use of polymorphic malware has lately become a favorite and highly dangerous tactic of organized cyber crime groups.
We just got back from Las Vegas, where we were excited to see so many information security, legal, and digital forensics pros at CEIC 2014 at Caesars Palace. But we’re already ramping up to head back to Vegas for Black Hat 2014, the annual confab designed for the InfoSec practitioners we love to work with.
- "A POS Hack: What's in Your Wallet?" with retail security professional Richard Thompson
- "A 360-Degree View of Enterprise Risk"
- "Endpoints Under Attack"
- "Strategies for Verizon DBIR Top Three Breaches," with EnCase Cybersecurity product manager Ransher Singh
- A handful of choice guest speakers to be announced in a later blog post.
And that’s just Wednesday. Careful readers will see a theme emerging: Advances in perimeter security aren’t enough – you need a new endpoint security strategy. Check the blog again later this week for more news on what you can expect in booth #1141 at Black Hat, and let us know if you have any questions in the comments section below (such as, “Hey, are you guys giving away that awesome 'Hunt or Be Hunted' t-shirt again?” and, “What about that ray gun?” Which is for us to know and for readers of future blog posts to find out…).
Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.
Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:
- The bad guys launch a new type or method of attack
- Some (if not all) organizations attacked are breached
- Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
- At least one organization names the new attack method
- The organization or a security vendor finds a defense to the new threat
- The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.
Here is the problem: The delay between a breach, developing a defense and sharing the solution can take months, if not longer. Why the delay? Because the good guys do not share enough information. The black hats are aggressively sharing techniques and new approaches. Thus, we applaud anything that the government can do to encourage exchange of information on cybersecurity threats and new methods employed by hackers and other cyber-criminals.
In my day job, we often discuss security tools and the respective processes that generate the requirements that demand the use of such tools. Lately, we have been debating incident response tools and processes as contrasted with forensic investigation tools and processes. Obviously, both have differing benefits that they bring to the general discipline of security. They also have differing requirements in terms of the tool sets that they require to execute those processes.
To me, the boundaries between forensic investigation and incident response have always been rather clear. Maybe slightly fuzzy at the exact interface between them, but not a huge gaping canyon of a zone of uncertainty. However, lately, I'm starting to believe that out there in the rest of the community it may not be so clear. I could be wrong...it wouldn't be the first time and I'm sure it won't be the last, especially if you ask some of my close friends.