Cybersecurity vendor Symantec is trying something new with its malware honey pots - selling them.
Like competitors McAfee and Sophos, the Mountain View, Calif., company has long owned and operated thousands of so-called honey pot PCs around the world. When one of these PCs is infected by a virus or probed by a hacker, the malware is captured and sent to a company lab, where analysts try to reverse-engineer it as the first step toward alerting government agencies, corporations or consumers.
In February, Symantec surprised its competitors by announcing that it would package up versions of its honey pot sensors and automated analytic tools and sell them to U.S. government agencies, NATO and major corporations.
These customers believe that keeping analysis in-house will keep the authors of malware in the dark as long as possible, allowing investigators the maximum time to track keystrokes, decipher tactics and ferret out motive and strategy. "When it's everyday kind of malware, [agencies and corporations] are still depending on us to do all the work for them," said Chet Wisniewski, senior security adviser for the cybersecurity firm Sophos, headquartered in Abingdon, England, and Burlington, Mass. "When it's something specific, that means that somebody was trying to get into their organization, they have a tendency to be a lot more cautious and to do a lot of that internally."
Symantec officials told reporters in February that the move would allow agencies to react more quickly to increasingly sophisticated, pinpoint malware attacks.
"We need to be able to give them a technology that they can house and own and operate sometimes in classified situations where they have access to all of the information that they need to move forward with their missions," said Joe Pasqua, vice president of research for Symantec.
Pasqua said the secret option is necessary for some customers. With the traditional approach of publishing a malware signature to help others spot the bad code, "the adversary will know, 'Aha. They've detected this exploit,'" he said. "If you're a government agency, you may not want to do that. You may want to protect some of the information you have."
It would be up to the customers to decide "what they want to keep public, what they want to keep private," he said.
But the company's competitors said Symantec's new approach wouldn't necessarily help customers.
Dave Marcus, director of security research for McAfee Labs, based in Santa Clara, Calif., said he understands the logic behind an agency's desire to have its own tools, but those tools are worthless in a vacuum, he said.
"If you're giving them tools to do their own analysis automatically, then what?" he said. "You can know what the threat is, you can know what the malware does, but unless you can write some content to protect against it, the analysis doesn't do a whole lot."
Wisniewski of Sophos said the products could be dangerous if they were leaked by a customer.
"The offensive cyber capabilities [of the U.S. military and intelligence community] could be tripped up by something like this," he said. "What happens if a foreign company or foreign government that we might want intelligence from captures our offensive techniques?" Symantec is "a well-respected vendor in the industry and all that, but at the same time, it seems like it's a complicated business to get into," Wisniewski said.
Symantec points out that the U.S. National Security Agency's Information Assurance Directorate is leading development of an anti-malware countermeasures standard, called the Security Content Automation Protocol. Agencies that find malware could draft their software responses to this standard. Baiting the Trap The core of the Symantec proposal is a product in its alpha development stage known internally as ScriptGenNet, or SGNet. It would consist of PC-sized honey pot computers programmed to look just like Web, mail or file transfer protocol (FTP) servers, attached to, say, the U.S. government's Nonclassified Internet Protocol Router Network, and the Secret Internet Protocol Router Network.
"We want to entice [malware users] to think that they are in a pristine network," said Rob Walters, senior director for Symantec Research Labs. "They can look around and go, 'Whoa, this has got some good stuff that I need.'" Software would scan incoming digital communications for evidence of computer language that is out of the norm - a possible indicator of malware. The system would automatically steer the digital conversation to a more powerful backend computer, which would continue the conversation using a more detailed simulation of the Web, mail or FTP server.
"It keeps that discussion going with the attacker. The attacker can't figure out that it's just a bait machine," Pasqua said.
All the while, the conversation would be automatically analyzed, and if malware were diagnosed, the code would be sent to another computer, called the Symantec Malware Analysis and Research Triage Harness.
Automation would be key.
"These government agencies don't want more data. They want more intelligence. You give them more data, and it's more stuff to swim around in," Pasqua said. "What they really want is to take these huge feeds of security information and whittle them down."
He said the security companies and government agencies have no choice but to automate. In a tactic called polymorphism, malware authors are using software to rapidly create new versions of their code so it cannot be easily picked up by security software.
"They want to keep us busy," Walters of Symantec said.
Like competitors McAfee and Sophos, the Mountain View, Calif., company has long owned and operated thousands of so-called honey pot PCs around the world. When one of these PCs is infected by a virus or probed by a hacker, the malware is captured and sent to a company lab, where analysts try to reverse-engineer it as the first step toward alerting government agencies, corporations or consumers.
In February, Symantec surprised its competitors by announcing that it would package up versions of its honey pot sensors and automated analytic tools and sell them to U.S. government agencies, NATO and major corporations.
These customers believe that keeping analysis in-house will keep the authors of malware in the dark as long as possible, allowing investigators the maximum time to track keystrokes, decipher tactics and ferret out motive and strategy. "When it's everyday kind of malware, [agencies and corporations] are still depending on us to do all the work for them," said Chet Wisniewski, senior security adviser for the cybersecurity firm Sophos, headquartered in Abingdon, England, and Burlington, Mass. "When it's something specific, that means that somebody was trying to get into their organization, they have a tendency to be a lot more cautious and to do a lot of that internally."
Symantec officials told reporters in February that the move would allow agencies to react more quickly to increasingly sophisticated, pinpoint malware attacks.
"We need to be able to give them a technology that they can house and own and operate sometimes in classified situations where they have access to all of the information that they need to move forward with their missions," said Joe Pasqua, vice president of research for Symantec.
Pasqua said the secret option is necessary for some customers. With the traditional approach of publishing a malware signature to help others spot the bad code, "the adversary will know, 'Aha. They've detected this exploit,'" he said. "If you're a government agency, you may not want to do that. You may want to protect some of the information you have."
It would be up to the customers to decide "what they want to keep public, what they want to keep private," he said.
But the company's competitors said Symantec's new approach wouldn't necessarily help customers.
Dave Marcus, director of security research for McAfee Labs, based in Santa Clara, Calif., said he understands the logic behind an agency's desire to have its own tools, but those tools are worthless in a vacuum, he said.
"If you're giving them tools to do their own analysis automatically, then what?" he said. "You can know what the threat is, you can know what the malware does, but unless you can write some content to protect against it, the analysis doesn't do a whole lot."
Wisniewski of Sophos said the products could be dangerous if they were leaked by a customer.
"The offensive cyber capabilities [of the U.S. military and intelligence community] could be tripped up by something like this," he said. "What happens if a foreign company or foreign government that we might want intelligence from captures our offensive techniques?" Symantec is "a well-respected vendor in the industry and all that, but at the same time, it seems like it's a complicated business to get into," Wisniewski said.
Symantec points out that the U.S. National Security Agency's Information Assurance Directorate is leading development of an anti-malware countermeasures standard, called the Security Content Automation Protocol. Agencies that find malware could draft their software responses to this standard. Baiting the Trap The core of the Symantec proposal is a product in its alpha development stage known internally as ScriptGenNet, or SGNet. It would consist of PC-sized honey pot computers programmed to look just like Web, mail or file transfer protocol (FTP) servers, attached to, say, the U.S. government's Nonclassified Internet Protocol Router Network, and the Secret Internet Protocol Router Network.
"We want to entice [malware users] to think that they are in a pristine network," said Rob Walters, senior director for Symantec Research Labs. "They can look around and go, 'Whoa, this has got some good stuff that I need.'" Software would scan incoming digital communications for evidence of computer language that is out of the norm - a possible indicator of malware. The system would automatically steer the digital conversation to a more powerful backend computer, which would continue the conversation using a more detailed simulation of the Web, mail or FTP server.
"It keeps that discussion going with the attacker. The attacker can't figure out that it's just a bait machine," Pasqua said.
All the while, the conversation would be automatically analyzed, and if malware were diagnosed, the code would be sent to another computer, called the Symantec Malware Analysis and Research Triage Harness.
Automation would be key.
"These government agencies don't want more data. They want more intelligence. You give them more data, and it's more stuff to swim around in," Pasqua said. "What they really want is to take these huge feeds of security information and whittle them down."
He said the security companies and government agencies have no choice but to automate. In a tactic called polymorphism, malware authors are using software to rapidly create new versions of their code so it cannot be easily picked up by security software.
"They want to keep us busy," Walters of Symantec said.
No comments:
Post a Comment