Black Hat - SexyDefense, maximizing the home-field advantage

Filed Under: Law & order, Malware, SophosLabs

Blck Hat 2012 logoI’'m attending the BlackHat this year, and one of the most interesting and controversial talks so far was "SexyDefense - Maximizing the home-field advantage" by Iftach Ian Amit.

Ian opened with some very good advice about the defensive mindset: there is no final, optimal, best-practice security strategy. It's:

a) always evolving
b) specific to your organisation

Security compliance testing by itself does not improve organisational security. It's what the organisation does after the compliance test or penetration test that matters.

The theme of the conference as a whole this year seems to be that the concept of a "perimeter defense" is dead. There will always be gaps and breaches. We need to concentrate on detecting them as soon as possible and responding the best way possible.

Our focus should be on finding the next gap in security instead of looking for someone to blame for the previous gap.

Everything.logAnother useful piece of advice is to log everything everywhere, and filter later. Storage is cheap, missing an early sign of attack is expensive.

Some early warnings will be well outside any IDS system like the volume of calls to support, unusual sales enquiries or odd PC behavior reported by your staff.

Ian, similarly to keynote speaker Shawn Henry (ex-FBI), draws analogies between real-world defense and cyber-defense, and suggests taking the fight to the bad guys' territory.

One example was taking the DarkComet tool, infecting it with itself, and uploading it back to a popular "toolz" website. Everyone who downloaded that version of the tool, was 0wned. Another example was modifying a dodgy packer to leave a distinct signature.

The only caveat was: get legal advice appropriate to your country before attempting that at home.

I have many more issues with this. I've tried to discuss them with Ian after the talk, but his approach is "we work in a tainted space, it's naive to think we can do that wearing white gloves".

But let's consider the classic principle of anti-virus companies: "Don't modify malware, to do that is as bad as creating your own new malware". Is it really naive? We follow this principle even internally, never mind uploading this modified malware anywhere else.

Before we consider moral issues, let's consider usefullness of this approach.

Why would someone download a new version of your malware? I'd have thought that you would need to provide some useful new functionality. Ian reassures me that's not the case. Most bad guys would just grab the latest version even if there isn't anything new in it.

VirusThis doesn't eliminate the really clever adversaries. They build their own tools or are not willing to trust random code. Yet we can get the script kiddies while still wearing white gloves.

So, you've got some percentage of low-skill hackers who will use your modified tools. You're safe from these attacks. What about all the other attacks:

1. High-skill hackers who will use other tools against you
2. Low-skill hackers who get their tools elsewhere

If you play that game, how long before you actually write some new attack capabilities into your malware tools, to increase their adoption or to raise your street cred in the group you are infiltrating?

This slope is much more slippery than a simple "don't modify even one byte of malware" rule.

All of the above assumes that the modification went to plan, and you've done exactly what you wanted to do to this malware. As a developer, I can tell you it's not a good assumption to make with any piece of software, and I don't see why malware would be different.

Do you really want a new virus in the wild on your conscience? Even if your tools can detect it, what about everybody else's tools?

So now we are back to the moral side of the story. Going back to our comparison to the physical world, this talk seems to suggest we make some guns with a known ballistic signature and give them to criminals.

In the words of multiple James Bond villains: what could possibly go wrong?

, , ,

You might like

7 Responses to Black Hat - SexyDefense, maximizing the home-field advantage

  1. Bruce · 1169 days ago

    I've got to agree with you on this. To use another 'real life analogy' it's akin to when the cane toad was introduced to Australia to combat a bug (or the fox for that matter to combat a rabbit plague), unfortunately they didn't just do the job they were introduced for but thrived and are now a major pest and bigger danger to the ecosystem as their population grow uncontrollably without any natural predators. I could see this happening too with the strategy proposed - as much as I'd love to be able to 'infect' the hackers machines and give them the same headaches we get I think we're likely to end up shooting ourselves in the foot with this approach.

  2. Its kind of happened before where proof of concepts or trial software ended up going rogue and spreading over the internet look at the Morris Worm.

  3. Randy · 1169 days ago

    "we work in a tainted space, it's naive to think we can do that wearing white gloves".

    So what? Do you think the hackers are going to press charges?

    • "So what? Do you think the hackers are going to press charges? "

      The white gloves are important for a number of reasons. At the end of the day, you can show that your gloves are still white, to all and sundry. Wearing dirty gloves, it becomes much harder to prove HOW you got them dirty, and how far that goes.

      After all, if you're fine infecting the tools used by the criminals, maybe you're fine infecting the tools that may also be used by security investigators... or the ones used by someone considered criminal in your country but not in others.... The slope is indeed slippery.

      His idea of watermarking the malware has similar issues -- the first thing a malware author is going to do is test the malware against common products -- which would instantly trigger detection. Investigation would quickly turn up the watermark, which would then be removed.

  4. roy jones jr · 1168 days ago

    If I'm to look at this on the surface, there seems to be more problems than resolutions. I just don't see the "programs hacking programs" working to a win-win scenario.

  5. nite · 1166 days ago

    SexyDefence, NakedSecurity... hmm?

    Though to be on topic, this is a great idea. Criminals and dishonest people tend to be stupid, and susceptible to social hacking. While this sort of attack will not catch everyone, it would make a good preemptive defense tool.

    This isnt all that different from the honeypot technique.

  6. Harry · 1161 days ago

    Are you serious? "Criminals tend to be stupid?" That kind of thinking will lead to big trouble.. Look up Kevin Mitnick.. Watch the movie on him, That's how some of the criminal element are.. Not stupid at all!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Irene Michlin is a senior software engineer at Sophos.