Malware: Cat and Mouse CYBERSECURITY LEADERS GLOBALLY Forever? Malware

DEVELOPING AND CONNECTING ISSA Malware: Cat and Mouse CYBERSECURITY LEADERS GLOBALLY Forever? Malware:

Cat and Mouse Forever?

By Ken Dunham – ISSA Distinguished Fellow, Boise Chapter

As we focus on the impact of malware upon cybersecurity, it’s important that we embrace the lessons learned over the past three plus decades of malware in the wild. The author looks at notable malware events that have taken place over the last few decades: have we learned anything or will be playing cat and mouse with our malware adversaries forever?

pirating activities of their medical software [4]. Other viruses Abstract infected files or boot sectors of floppy disks in an attempt to As we focus on the impact of malware upon cybersecurity, it’s see how a virus could be created and find out what it could do. important that we embrace the lessons learned over the past While early history is often debated, it’s clear that means and three plus decades of malware in the wild. History does in- motives were about discovery and the traditional meaning of deed repeat itself. Cybersecurity also has the characteristics “hacking” to figure out what one could do with various virus of a “cat and mouse” game, where action and reaction define a tactics and programming. lifelong process of the battle between good and evil. A cat that We still have human creativity at the heart of malware to- has caught a mouse doesn’t kill it but plays with it. The mouse day. The threat landscape has become increasingly complex, may play dead for a while, and then may run, and might even with a massive variety of opportunities in an age of Inter- get away for that day, but the saga continues between the two. net of things (IoT). Connected-homes, connected-cars, and Taking a look at notable malware events that have taken place modern-day computers are examples of emerging technol- over the last few decades, have we learned anything or will be ogy. Computer programmers are the heart of this technical playing cat and mouse with our malware adversaries forever? ingenuity. Unfortunately, dark-side coders are also the nem- esis to this technical inspiration. The spirit of discovery and 1980s – Emergent threats accomplishment, coupled with human ingenuity, will always red Cohen officially coined the term “virus” in 1983. be at the heart of our cybersecurity battles. During this early stage of malware identification, it was easy to see that motives varied significantly amongst Cat & Mouse Game Lesson: Fthe threat actors of that time period. For example, the Brain Human creativity and ingenuity coupled with the criminal virus was created by the Alvi brothers out of Pakistan to stop intent still drives innovation and reactive security measures.

1988 – Morris worm dling a global crisis is still something most companies don’t do well despite such threats over all these years. In 1988, Robert Morris created a buffer overflow exploit worm that infected DEC VAX and Sun machines running BSD Unix 1990s – Hypertext, macro, Trojan malware, and [2]. Within 24 hours of being released into the wild the Mor- exploit tools emerge ris worm was a global problem that impacted an estimated 10 percent of the global Internet community. In 1990, Morris Innovation within malware development continued, di- was the first criminal convicted for fraud and deception re- verging into different types of applications, files, and deliv- lated to malware. The conviction brought a stiff sentence of ery mechanisms. One of the earlier three years probation, a $10,000 fine, and 400 hours of com- malware samples in the 1990s was munity service. The motive behind why his worm was created known as “merryxmas” [5]. This piece The spirit of is still debated, some saying it was his attempt to gauge the of malware infected Hypertext files size of the Internet while others say it helped defend some of common to the Macintosh operating discovery and his father’s agenda as a cryptographer concerned about secu- system. When an infected “stack” or accomplishment, file was opened, it infected the home rity on the Internet. All accounts tend to point towards Mor- coupled with ris having launched the worm and then having it spiral out stack, then infecting all other stacks of control, doing more than he had anticipated. As a result as they were opened and/or shared. By human ingenuity, of the Morris worm, DARPA funded CERT/CC to centralize 1995, Microsoft-based macro viruses will always be at cybersecurity-related emergencies. became all too common. By the late 1990s, Trojans and exploit tools for the heart of our Today there are a variety of incident response (IR), security hacking were readily available and cybersecurity operation centers (SOC), war room supporting units in both being used regularly for both hacking the commercial and governmental sectors. Many companies and criminal gain. During this peri- battles. now have dedicated SOCs and/or incident response/war room od of malware creativity, the dawn of staff or retainers in preparation for such events, should they polymorphism took place. Malware occur. While this is a huge step forward, we still see crippling authors constructed different strategies to create randomized attacks like WannaCry that take the world by storm. This of- viruses in mass. These malware variations were similar in ten reveals failures in response units and war room protocols functionality, but more difficult to detect. rarely tested or not in place for less mature organizations. A notable piece of malware in 1999 was the first hard- Cat & Mouse Game Lesson: ware-based virus, called CIH. This piece of malware took ad- Threats have a way of rearing their ugly heads on a global vantage of a Microsoft Windows 9x vulnerability to overwrite scale despite all our efforts to date. Even with companies that drives and also destroy the BIOS if the hardware was vulner- are more mature, with IR and SOC solutions in place, han- able to the attack [9]. Due to the Asian black market and how this file-infecting virus spread, hundreds of thousands of

Members Join ISSA to: l Earn CPEs through Conferences and Education l Network with Industry Leaders l Advance their Careers www.issa.org l Attend Chapter Events to Meet Local Colleagues l Become part of Special Interest Groups (SIGs) that focus on particular topics

Join Today: www.issa.org/join Regular Membership $95* CISO Executive Membership $995 (+Chapter Dues: $0-$35*) (Includes Quarterly Forums)

*US Dollars/Year

November 2018 | ©2018 ISSA • www.issa.org • [email protected] • All rights reserved. ISSA Journal – 13 Malware: Cat and Mouse Forever? | Ken Dunham computers were wiped out in a single day when it released its Cat & Mouse Game Lesson: payload on April 26, 1999. New technology introduces new opportunity for criminals Today, BIOS settings and hardware-based components are who are quick to exploit it for maximum gain. Use of new hardened against attacks because of lessons learned with CIH. technology is almost always done with functionality first and This does not make them immune to other types of attacks, security much later, leaving room for widespread exploita- such as abuse of memory available on a graphics card for stor- tion for months or years as technology is adopted. age of code or manufacturer manipulation of code, etc. Un- fortunately, this did stop such dramatic hardware-based pay- 2000 – A new era loads in their tracks following CIH in 1999. The darknet hosts Around the turn of the century a shift in malware develop- millions of attack files, millions of victim-based data from ment and tactics occurred. A massive explosion of malware breaches, and connects criminals from around the world [3]. activity took place relating to impact. Millions of everyday us- Documentation, tools, and private support are greater than ers were now using the Internet; exploitation of new technol- they have ever been for the adversary. ogy was on the rise; and infection was easily scalable. Trojans now turned into bots, where not only one computer but thousands could be infected at a time. These infected machines were then managed through a botnet system such as Internet ISSA Thought Leadership Series Relay Chat (IRC). Worms utilizing email as its delivery mech- anism were common place with outbreaks like ILOVEYOU, The Threat Intelligence Playbook: Keys Anna Kournikova worm, MyDoom, Netsky, Sasser, Blaster, to Building Your Own Threat Intelligence Welchia, Storm, and many more. Vulnerability discovery, 60-minute Live Event: Wednesday, November 7, 2018 disclosure, and exploitation begin to take a huge role in the 10 a.m. US-Pacific/ 1 p.m. US-Eastern/ 6 p.m. London threat landscape because of how they are utilized by botnet Acronyms such as IOCs (indicators of compromise) and IOAs and worm authors for both criminal and nation-state gain. (indicators of attack) are ubiquitous in the security industry. But a recent SANS Institute survey revealed that a vast Today, several very mature criminal worlds exist, especially majority of security professionals don’t even know how many out of Russian, Ukraine, Romania, and China, to mention indicators they receive or can use. Join DomainTools sales a few. Botnet management has scaled well beyond the ear- engineer Taylor Wilkes-Pierce to learn how IOCs and IOAs ly days of IRC servers into multi-layered restful and mobile can work in tandem to build your own threat intelligence interfaces for the busy criminal on the go. Tools, tactics, and and enrich your investigations and overall security strategy. procedures have changed dramatically, revealing great levels In this webinar, you will learn: of maturity towards targeting, semi-targeting, and large-scale • How security professionals go about sourcing indicators opportunistic attacks. An explosion of technologies, includ- • What you can do with IOCs/IOAs after locating them ing smart phones and mobile devices, changed the landscape • How to pivot through the threat actor infrastructure and for both security and opportunities of attack. While some determine the “Who” and the “How Bad.” actors have been brought to justice and laws created in many Click here to register. countries, bad actors continue to perform criminal activities Generously supported by every day under the anonymity of the Internet. The cost of breaches is increasing annually [7].

ISSA Thought Leadership Series: Cat & Mouse Game Lesson: Anonymity and complexities of global investigations, laws, Cybersecurity and law enforcement capabilities continue to harbor Internet 60-minute Live Event: Wednesday, November 14, 2018 criminals without much recourse. 10 a.m. US-Pacific/ 1 p.m. US-Eastern/ 6 p.m. London Generously supported by 2010 – Present day Espionage and nation-state threat actors have become a pop- ISSA International Series ular topic of discussion. Global awareness has increased since the popularization of the term “Advanced Persistent Threat” Security Professionals Dilemma and public disclosures of teams like the Comment Team, aka 2-hour Live Event: Tuesday, November 27, 2018 APT1 [6]. Stuxnet is one of the most recognized malware 9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London samples kicking off this era, disclosed in 2010. This piece of Generously supported by malware related to the targeting of Iran’s nuclear program (SCADA) [11]. For more information on these or other webinars: Ransomware also becomes a major theme of attack and ex- ISSA.org => Events => Web Conferences tortion globally during this time frame [8]. Russian-based code like Zeus is a service and is all too common in the wild.

Worms such as WannaCry still take the world by storm but • It takes an intentional awareness and managerial effort are not as common as the dawn of such worms in the former to move an enterprise-based risk management program era. Interestingly enough, WannaCry exploitation was based forward, which can migrate from reactive to proactive. off of a NSA hacking toolkit leak that took place in 2016. As important as the effort is for this cultural shift, we will Mobile threats are now commonplace, but these particular likely see a continuance of largely reactive postures and threats rely more on social engineering-related tactics and actions even after a breach because human nature will al- rogue applications developed by malicious threat actors. ways be the weakest link to overcome. In 2018, the threat landscape is diverse with both criminal • A convergence of SecOps and DevOps will take place and nation-state attacks. No matter how big or how small with our new big data era, where DevOps will likely be an organization or what its function is, they all have infor- adversarial to SecOps. In most cases, development of new mation, connections, and data of interest to someone some- technology and making sure it “works” takes priority, with where. Even an industry such as manufacturing would have security being an afterthought. This trend will continue, dependence upon computers. This type of environment but will be severely exacerbated by industry movement to- would be dependent upon industrial control systems (ICS) wards big data, analytics, machine learning, and artificial for uptime, which add significant layers of defensive posture intelligence. The gap between SecOps and DevOps will be complexities. exploited by bad actors just as similar gaps in the history of vulnerability discovery and management have taken Cat & Mouse Game Lesson: place. Dependence upon Internet-based technologies, especially • Managers will continue to measure their effectiveness with with Internet of things (IoT), and integration is increasing dra- questions such as “Am I better than my competitor?” and matically, significantly changing the risk landscape. As seen “We are compliant, and that is good enough, right?” Striv- with threats like Slammer, where integrated software pack- ing for excellence and effectiveness are challenges that all ages containing a vulnerability were exploited to the surprise organizations will continue to fight in an ever-increasingly of many who thought they had patched, IoT is a Pandora’s “busy” world. box of opportunity for exploitation. Trends Several trends are evident over the years of the malware cat and mouse games: • The human-to-keyboard error will always exist. Our adversary is intelligent and knows us all too well and is quick to exploit our human nature. Investing in our people to lower risk will always be an important challenge. • The latest and greatest technology is always fast to market with security solutions following adoption by the mar- ketplace. Any newer solution, such as Cloud solutions in 2018 and beyond, will attract new types of attacks as they emerge. From a criminal perspective, some of the best profits are made as a technology is being introduced to market and then the threat reaches critical mass on a global scale. DECIDE WITH • We are in an information age with increased interdepen- dence upon the Internet of things and network connec- tivity. We all now have a role in securing our own assets CONFIDENCE as well as assets of partners, clients, and country. Nobody can claim it’s not his responsibility any longer. Targeted Fortinet named a Leader attacks now have the means to traverse through partners of the eventual target. The amount of information, analyt- in the 2018 Gartner Enterprise ics, and artificial intelligence (AI) on top of all that data Firewall Magic Quadrant will only increase in the years to come. • All means and motives of social engineering, manipulation, and abuse will continue to be highly prevalent in our Learn why at ready.fortinet.com ever-connected world of technology going forward. • History shows that most organizations would rather deny and ignore a potential risk as long as it hasn’t “hit them yet.”

Cat and mouse today? With so much integration, inter-dependence, and little to no security of nascent IoT devices, widespread exploitation and In 2018 some of the top threats include the following [1][10]: abuse with clever applications is sure to follow. This is part of how humans work, eager to rush out and try something new • Cryptojacking and cryptomining but not really understanding the full consequences. The cat Ransomware maintains as a critical threat • and mouse game reaction is to then reactively try to fix it and • Attack surface expanded with IoT make it better, sometimes making things worse before things actually improve. • Smart medical devices with little to no security and impact upon electronic medical records Third-party risk and ongoing breaches like that of Face- book can have huge implications. As seen with the Facebook • Third-party vendor risk management breach, the Facebook token used to authenticate to a ton of Ongoing large breaches including Facebook and oth- • other websites or apps was part of the breach. In other words, ers it is like a stolen universal password to a bunch of sites or The first two threats of mention are related to ongoing mature apps used by an individual. The lesson learned here is that if eCrime operations linked to cryptocoin currency payoff and you have integration of such a solution, you must then hard- extortion. There is a lot of hype around Bitcoin and its value, en it against attack so that you don’t get breached through it mining to make a profit, with many rushing towards it in a (which is very difficult) and also design the token to be more hope to get rich quick. All such currencies are different from robust so that by default risk is best mitigated before such a traditional currencies and have inherent risks that have yet breach happens. People tend to avoid integration and more to be fully realized in the global economy. As seen with the complex subjects related to security of this matter, which is physical gold rush in the US, some will make a handsome why third-party risk will continue to be a very challenging profit while many will be left in the dust. What is clear with subject for many going forward. this trend and current-day threat is the human motive to get rich: both the good guys trying to mine and the bad guys Concluding remarks compromising computers to mine illegally are highly mo- Early viruses spread via files and disks. Then came macros tivated and moving quickly. This threatscape appears to be and attachments. Then URls and targeted attacks. Now mo- reaching a peak in the next few years along with diversifica- bile and Internet of things (IoT). With each new generation of tion of other cryptocurrencies now available globally. technology and attack surface the enemy is out in front tak- IoT is arguably one of the hottest trends that is tangentially re- ing full advantage of the opportunity. Meanwhile the security lated to smart devices in the medical field. The risk landscape industry is largely reactive, working much slower than its ad- has changed dramatically to where Internet-accessible and/or versary, not even mastering the core pillars of security while -exploitable devices can now control whether you can get in buying the next greatest technology to solve problems. Patch- and out of a car or administer pain medication to a patient.

The ISSA Journal on the Go! Have you explored the versions for phones and tablets? Go to the Journal home page and choose “ePub” or ”Mobi.”

Mobile Device ePubs iPad/tablet • ePubs are scalable to any size device: iPad/tablet provide an excellent user experience iPhone • You’ll need an ePub reader such as iBooks for iOS devices

NOTE: choose ePub for Android & iOS; Mobi for Kindles Take them with you and read anywhere, anytime…

| November 2018 16 – ISSA Journal ©2018 ISSA • www.issa.org • [email protected] • All rights reserved. Malware: Cat and Mouse Forever? | Ken Dunham es are way behind or non-compliant, little to no whitelisting, 6. Mandiant, “APT1 – Exposing One of China’s Cyber Espio- configuration management falls to the wayside. nage Units,” Mandiant – https://www.fireeye.com/content/ dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Will we play cat and mouse forever? or will we resolve to add strategic focus to our management? Will we commit to 7. Ponemon, “2018 Cost of a Data Breach Study,” IBM Securi- intentionally move forward and mature our programs and ty– https://www.ibm.com/security/data-breach. approach, proactively and strategically? These are tough 8. Symantec, “Internet Security Threat Report (ISTR), Volume questions with real-world implications if you do commit, in 22,” Symantec – https://www.symantec.com/content/dam/ a world that is challenged with job hoppers and a lack of ex- symantec/docs/reports/istr-22-2017-en.pdf. perienced security staff to fill positions. 9. Symantec Security Center, “W95.CIH,” Symantec – https:// www.symantec.com/security-center/writeup/2000-122010 Human nature will always result in an action and reaction -2655-99. cat and mouse game no matter what the field of engagement. 10. University of San Diego, “Cybersecurity Threats in 2018,” Expect innovation and creativity to rear an ugly head when University of San Diego – https://onlinedegrees.sandiego. criminal opportunity finds a new nascent technology solu- edu/top-cyber-security-threats/ tion with assets ready for the harvest. Accept malware risk as 11. Zero Days (TV Documentary) – https://www.imdb.com/ti- a reality of doing business in 2018 and beyond. It’s not about tle/tt5446858/. stopping the threat but lowering the risk, and if you do have an incident, mitigating it quickly with the least amount of About the Author damage possible. This requires a significant amount of effort Ken Dunham, CISSP, CISM, has nearly three on proactive measures to best understand and counter tools, decades of combined business, technical, and tactics, and procedures of the enemy. leadership experience in cybersecurity, inci- As seen with historical breaches and incidents, only a small dent response, and cyber threat intelligence. percentage of companies are committed enough towards bat- Over his long career he has taught at all lev- tling malware to focus and invest towards a true proactive els, helped to create training programs for pi- protection against threats that impact their network. If you lots and navigators of the U2, Warthog, and don’t have any such plan today, start by creating visibility into Predator programs, and authored and contributed to many the malware threats that you see in your network. How many books and security articles. He owns an advanced intelligence threats did you experience last month? What are the vectors response company, 4D5A Security LLC, and runs non-profit of attack? How many incidents took place compared to risk Rampart Research for information sharing and networking of exposure? How many threats were blocked, and by what solu- global incident responders. He is an ISSA International direc- tion for which vectors? When looking at the types of threats tor and my be reached at [email protected]. your organization faces, which are the most important to you and deserving of additional resources (rootkits, espionage, etc)? A pulse upon the threats facing your organization, over- lapped with your defensive architecture and strategic plan, JOURNAL clearly reveals where focus needs to take place to best manage the risk. Infosec Book Reviews References Have you read an excellent information security 1. Bonderud, D., “Cybersecurity Threats in 2018: Crypto- book of value to ISSA members? You are invited jacking, Ransomware and a Divided Zero-Day Market,” Security Intelligence – https://securityintelligence.com/ to share your thoughts in the ISSA Journal. news/cybersecurity-threats-in-2018-cryptojacking-ransom- • Summarize contents ware-and-a-divided-zero-day-market/. • Evaluate interesting or useful information 2. Bortnik, S., “Five Interesting Facts about the Morris Worm (for its 25th anniversary),” WeLiveSecurity, Nov. 6, 2013 – • Describe the value to information security https://www.welivesecurity.com/2013/11/06/five-interest- professionals ing-facts-about-the-morris-worm-for-its-25th-anniversary/. • Address any criticisms, omissions, or areas that 3. Finklea, K., “Dark Web,” Congressional Research Service – need further development https://fas.org/sgp/crs/misc/R44101.pdf. 4. Kaspersky, “A Brief History of Computer Viruses & What Review should be 500-800 words, including short the Future Holds,” Kaspersky Labs – https://usa.kaspersky. bio, photo, and contact email. Submit your review to com/resource-center/threats/a-brief-history-of-computer- [email protected]. viruses-and-what-the-future-holds. 5. Knight, D., “Classic Mac OS Viruses,” Low End Mac, Nov. DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY 1, 2015 – http://lowendmac.com/2015/classic-mac-os-viruses/.