Episode 86: Modern Malware Exposed!
Amrit Williams, BigFix CTO, discusses the malware landscape and new resources available to IT professionals with Mark Maiffreit of Fire Eye.
Subscribe in iTunes:
Subscribe with XML:
FULL TRANSCRIPT
Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Marc Maiffret, Chief Security Architect with FireEye and former CTO and Founder of eEye.
Marc, thanks for joining me today.
Marc Maiffret: Definitely; thank you for having me.
Amrit Williams: Before we get started, I just wanted to tell you a quick story which I found quite amusing. I used to be with Gartner Hous. in their Information Security and Risk Group, and I was doing some reference checks for various vulnerability assessment scanning technologies out there, I think it was like 2004. eEye was one of the companies and I was talking to a large financial-services security professional and typical VA problems/solutions type of questions and I said, “So ultimately why did you choose eEye?” and he said, ‘”Cause this guy Marc had green hair”. And I said, “I don’t understand, what is the significance of that?” He said, “He had green hair and he had a ring in his face, and he seemed to know a lot about hacking” (laughing). And he could not for the life of him tell me anything about the product; he was just fascinated by you.
Marc Maiffret: (Laughing.)
Amrit Williams: So definitely a little bit of cult personality there.
So before we delve into — ‘cause I know that FireEye’s got some great announcements, you guys have a new Modern Malware Exposed site up, definitely want to talk about that; but before we do, tell me a little bit and tell the audience a little bit about FireEye. I know they’ve gone through some different evolutions over the years; but just for a frame of context, what does FireEye do?
Marc Maiffret: Definitely. So, Amrit, the heart of what we do is we have a hardware-based appliance that can sit monitoring traffic — in other words, traffic coming into your organization — in order to detect all the attacks and prevent the attacks that are just simply being missed by the more traditional security layers like firewall, IPS and antivirus.
Amrit Williams: So it’s an inline device that’s looking at ingress and egress traffic, both?
Marc Maiffret: Correct. You can have it inline or out-of-band for a kind of monitoring-only deployment, and we’re both detecting inbound attacks through kind of a virtual-machine automated analysis and then also the outbound callbacks that malware performs. So if there is a computer that already became compromised, maybe we didn’t see it or it got compromised through a USB memory stick, something of that nature, we’ll detect that also both inbound and out-.
Amrit Williams: Good, that’s cool. And just to frame some of the basics here, the difference between what FireEye is doing with an inline appliance monitoring ingress and egress traffic in a traditional intrusion-prevention appliance?
Marc Maiffret: Yeah, I mean, the real core difference is most of the other solutions, as you know, are kind of chasing whatever the next threat; so every day there’s all different types of new vulnerabilities, exploits, different new malware, et cetera. So everybody traditionally is analyzing these things and coming out with different signatures or rule sets to prevent those.
What we do very differently is we’re looking at all of the network traffic coming into an organization, and we’re just looking for anything that has the most basic level of suspiciousness; maybe JavaScript obfuscation, for example. And then we take that exact network data that was going to your endpoint and we actually replay that network data through a set of virtual machines, and these virtual machines have been instrumented to look for various changes that would signal that the machine has become compromised. And by kind of working with doing that virtual machine kind of generic analysis, it allows us to generically detect things; so like Aurora back in the beginning of the year, we didn’t know anything about that exploit or the malware, but the difference between us and the kind of reactive signature guys is that Aurora had some JavaScript obfuscation, which may or may not be bad — plenty of legitimate websites use JavaScript obfuscation — but we were able to take that network data that was happening with Aurora, replay it through our appliance and then generically detect it based on seeing the changes through the virtual machine, and even in that case we had three different companies that were actually targeted as part of Aurora that were customers of ours that all picked it up very easily.
Amrit Williams: So you guys are performing some type of behavioral analysis, looking at the network traffic on a VM layer, effectively. The time between when you’re looking at something that is not where it could or could not be bad and the time that someone takes to respond to that or get information that this is suspicious, can you talk a little bit about the workflow there and how that works?
Marc Maiffret: Yeah, no, that’s a great point. So I mean a lot of the — if you look at a lot of the attacks today, part of the problem with IT is IT is already typically understaffed, under-resourced. You hear this from anybody that you talk to in IT. And so a lot of times when you’re talking about attacks, even if it was kind of an older attack that’s picked up by intrusion-prevention or antivirus system, you ask IT “Were you able to analyze to see what — not just if the attack maybe was picked up, but what was it trying to do, what was the attacker’s intention, kind of what were the other aspects of the attack?” and, number one, they just don’t have the time or kind of knowledge to do that.
(00:04:59)
So a part of the side effect that what ends up happening with our product with the virtual-machine analysis happening is that we give you kind of an automated forensic output that “Here’s exactly what this attack would do to the computer. Here’s the servers that it was trying to communicate back out to you”. So, if like Aurora, for example, saying, “Here’s the server in Taiwan and exactly how it’s trying to communicate out to it” and giving you that automated forensic output, so you can kind of make better decisions on what to do.
Amrit Williams: Do you find that most of the customers are running this inline or out-of-band, using it for reporting and analysis or actually having you guys block in real-time?
Marc Maiffret: Yes, so the inline is something that we just announced in the last few weeks, but we have… so that’s newer to us; we’ve been more of a monitoring solution up until then. But we’re already seeing greater option of it, and that’s with inline with something being driven and asked for by customers. So I’m sure we’ll see the majority of deployments moved to being inline versus monitoring only.
Amrit Williams: Definitely appreciate the information on FireEye. With FireEye and you the best of luck.
I want to switch gears a little bit and talk about ModernMalwareExposed.org, and for those folks that are interested in what Marc is about to say, you guys can find the website at ModernMalwareExposed.org, is that correct?
Marc Maiffret: Yes, absolutely, that’s the website: ModernMalwareExposed.org. And then it’s really a site that we’re trying to build to be a tool for people that are interested in some of these kind of highly dynamic and advanced threats that are happening out there to have a place where IT folks and above can kind of really learn on kind of what’s happening, what are some of the trends, what’s actually working, what’s not.
And in that realm also, it’s really to help kind of have another place and augment FireEye’s already existing blog that we’ve had for a while, which is just more of a kind of a technical resource on kind of reverse-engineering malware and those sort of things. So, again, really just kind of some tools and some information for average IT and related to kind of keep up with what’s happening out there.
Amrit Williams: And so it’s a great resource for folks to look at. Couple of questions for you. The first one: what gap is it trying to fill? I mean, you look out there in the world of security information and there’s a ton of it out there. I don’t think all of it’s aggregated well and some of it runs the gamut from extremely high-level and goofy to extremely overly detailed. What gap is it that you think you guys fill here?
Marc Maiffret: Yeah. I mean, I think the big part of it is, at least the way that we hope it comes across and that we’re striving for, is that we want it to be in the vein of that if you’re an IT person and maybe have a question, just simply — maybe there’s a new threat that you’re wondering how it relates to antivirus or a new type of botnet propagation method that maybe you read about the press, and it’s almost like you’d want to bounce off, if you had that really technical thread that you’d want to bounce it off of, just to get the very to-the-point and simple understanding of what does it actually mean? That’s where we’re hoping the site can help answer, and part of that is we even have a kind of video blog aspect of it where if people have different questions they can basically just email it in, and myself personally or other folks that FireEye will actually be taking the time just to give the quick, simple answer on here’s exactly what that new technique, thread, et cetera, actually means.
Amrit Williams: That’s a very cool service, so hopefully folks will use it.
You’ve been in the industry for quite some time, Marc; so I wanted to talk a little bit about what you’re seeing. A lot of people talk about the evolution of malware, the sophistication, the stealth aspect of it, the financial motivation, on and on and on. What’s your perspective? What’s changed over the years?
Marc Maiffret: Yeah. I mean, I think the professionalism on the part of the attackers is definitely the most dramatic change that’s out there. I mean, we consistently see that when it comes to the different malware and exploits that are out there, I think everybody knows that there’s obviously a marketplace; there’s the black market not just for buying and selling stolen information, but also now for buying and selling various tools that can be used to steal information. So whether that’s kind of your custom point-and-click exploit toolkits that we see or kind of custom ready-to-go botnet manufacturing type of software where you just put in a handful of parameters and now you have your own custom bot. So when you look at all the aspects of what we kind of consider the modern malware lifecycle, which is you have the kind of exploit/attack phase, you have the actual malware itself, and then you have the communication back from the malware to the various command- and-control servers.
(00:10:04)
It used to be that a few years ago as the stuff was becoming more popular, it was definitely something where you had to have the skill set to build each of those components in order to kind of build a successful botnet or related. Nowadays, it very much is such where at each kind of phase of that lifecycle, you can actually go buy almost a professional-level quality product that you just kind of turn a few knobs, enter a few fields and it’ll output your custom exploits; and if you want to pay extra money, you’ll get a zero day with it. It will output your custom malware; it will output the whole kind of command-and-control infrastructure.
And so that’s really lowered the bar to what it requires from the average criminal that can kind of take part in this new way of stealing information. I think we’re gonna continue to see that happening in a significant way where we continue to have the bar lowered where the guy that right now maybe is spending his time being an everyday pickpocket in downtown Los Angeles, just having the most basic level of computer skills and spending a little bit of money, you can get the kind of setup that will allow you to now be stealing financial and other information across thousands of computers on the Internet. We continue to see it going that way.
Amrit Williams: Yeah, the economies of scale and the global reach has become quite phenomenal for these guys.
Marc Maiffret: Definitely.
Amrit Williams: What about on the customer side, on the commercial side, what do companies do? What do IT professionals do? I mean, we’re for the most part living in a world where most people are just reactive to a threat, they wait for an incident and then they respond to it, or they wait for someone to tell them that something bad is gonna happen and then they respond to it. What are we doing wrong, and what should we be doing?
Marc Maiffret: Yeah, I mean, I think you’re exactly right on the point you were just mentioning about. Typically, the way that an attack becomes discovered is through the kind of reactive, somebody just kind of realizes that computer’s already compromised; maybe the exploit messes up or the malware messes up and we kind of have some indication and IT kind of investigates it. That’s typically how a lot of the breaches are found is kind of through pure mistakes.
Obviously, there’s different technology that folks can use; but stepping aside from just simply “Hey, go buy this product, it will solve all your problems”, I think one of the most important things is really around education and educating both IT and also just your average everyday employees, because at the end of the day there is always going to different threats and ways that something might find its way into your network, into your business. And a lot of it is, number one, what controls and kind of auditing do you have in place to find these things, and then also again how educated is your IT staff and how educated is your actual employees that when they see something kind of odd, do they know, have they been kind of told repeatedly by IT and by IT security, have they been told repeatedly that when you see something odd to report it back to you so they can investigate it and helping define what exactly is odd: is it just Internet Explorer crashing, which could be nothing or it could be everything. And so I think really the more educated both IT and the employees become, the better it becomes to hopefully find some of these things earlier on in the process.
And then, of course, there’s all the standard hardening and policy type of stuff that’s also very important.
And then obviously, lastly, our product is pretty amazing, I think, for this problem (laughing).
Amrit Williams: (Laughing.) I’m sure you wouldn’t be there if it wasn’t.
Marc, I really appreciate you joining me today. Just for the audience again, it’s Marc Maiffret, Chief Security Architect with FireEye, and ModernMalwareExposed.org is the website that they’ve just launched; a lot of great information up there.
Marc, really appreciate you joining me today; hopefully, we can get you back soon.
Marc Maiffret: Definitely; thank you so much.
Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix. Thanks for listening.
