EnCase and Entropy: Foiling Polymorphic Malware with Thermodynamics

Alfred Chung

You’ve seen it in a dozen movies: a character commits a crime, is ID’ed on security camera footage, then dyes her hair to alter her appearance in hopes of evading capture. The m.o. is the same for polymorphic malware—malicious software that’s constantly evolving or changing in order to evade signature detection or blacklisting solutions. Although it’s not a new addition to the hacker’s arsenal, the use of polymorphic malware has lately become a favorite and highly dangerous tactic of organized cyber crime groups.

Black hats know that, if you change code enough, it will be unrecognizable to intrusion prevention systems that rely on code “signatures” or hashes. This is why we created and patented the Entropy Near-Match Analyzer—part of EnCase Cybersecurity—a few years back: to help incident responders find polymorphic variants of binaries based on a different type of measurement.

Black Hat 2014: It’s the Year of the Endpoint

We just got back from Las Vegas, where we were excited to see so many information security, legal, and digital forensics pros at CEIC 2014 at Caesars Palace. But we’re already ramping up to head back to Vegas for Black Hat 2014, the annual confab designed for the InfoSec practitioners we love to work with.

With endpoint security demonstrations throughout the day, as well as collaboration with stellar industry partners, our booth theater will be busy nearly every minute that the trade-show floor is open. Come by booth 1141 to learn about:

• "A POS Hack: What's in Your Wallet?" with retail security professional Richard Thompson
• "A 360-Degree View of Enterprise Risk"
• "Endpoints Under Attack"
• "Strategies for Verizon DBIR Top Three Breaches," with EnCase Cybersecurity product manager Ransher Singh
• A handful of choice guest speakers to be announced in a later blog post.

And that’s just Wednesday. Careful readers will see a theme emerging: Advances in perimeter security aren’t enough – you need a new endpoint security strategy. Check the blog again later this week for more news on what you can expect in booth #1141 at Black Hat, and let us know if you have any questions in the comments section below (such as, “Hey, are you guys giving away that awesome 'Hunt or Be Hunted' t-shirt again?” and, “What about that ray gun?” Which is for us to know and for readers of future blog posts to find out…).

How Endpoint Security Analytics Could Have Cut the Target Hack Short

Alfred Chung

Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.

The critical point, however, is that the malware that was undoubtedly designed specifically for Target is probably already morphing into something unrecognizable by those signature-based tools for the next organization being drawn into the hackers’ crosshairs. Each organization that is hit with a form of this malware in the future will be on the receiving end of its own, customized attack for which no signature can be created.

The Cybersecurity Framework: Identification, Collaboration, and Proactive Defense

Alex Andrianopoulos

Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:

• The bad guys launch a new type or method of attack
• Some (if not all) organizations attacked are breached
• Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
• At least one organization names the new attack method
• The organization or a security vendor finds a defense to the new threat
• The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.

 Here is the problem: The delay between a breach, developing a defense and sharing the solution can take months, if not longer. Why the delay? Because the good guys do not share enough information. The black hats are aggressively sharing techniques and new approaches. Thus, we applaud anything that the government can do to encourage exchange of information on cybersecurity threats and new methods employed by hackers and other cyber-criminals.

Border Wars: Incident Response vs. Forensic Investigation

Josh Beckett

In my day job, we often discuss security tools and the respective processes that generate the requirements that demand the use of such tools. Lately, we have been debating incident response tools and processes as contrasted with forensic investigation tools and processes.  Obviously, both have differing benefits that they bring to the general discipline of security.  They also have differing requirements in terms of the tool sets that they require to execute those processes.

To me, the boundaries between forensic investigation and incident response have always been rather clear.  Maybe slightly fuzzy at the exact interface between them, but not a huge gaping canyon of a zone of uncertainty.  However, lately, I'm starting to believe that out there in the rest of the community it may not be so clear.  I could be wrong...it wouldn't be the first time and I'm sure it won't be the last, especially if you ask some of my close friends.