FireEye: Malware attribution not key in cybercrime fight

The industry places too much emphasis on finding out the source of cyberattacks, which does little to improve the state of security. Instead resources should be invested in security innovation around mobile, social media and cloud.

Rob Rachwald, senior director of research at FireEye. (Source: Michael Lee/ZDNet)

SINGAPORE--Malware attribution is gaining traction and is not key in the fight against cybercrime, according to a FireEye executive.

Rob Rachwald, senior director of research at FireEye observed the security industry today was "very interested" in where malware originated and has become their priority, and the industry is eager to pin the blame on certain countries or individuals.

This can usually be done by taking a malware sample, analyzing it and figuring out who or which country is behind it, Rachwald said, speaking at the RSA Conference Asia-Pacific 2013 keynote on Thursday.

"It is almost like food--people can tell the difference between Chinese and French food, it's quite distinct. Malware is like this to a certain extent."
Rob Rachwald
Senior director of research at FireEye

"It is almost like food--people can tell the difference between Chinese and French food, it's quite distinct," he said. "Malware is like this to a certain extent."

For example, malware from the Baltic region, particularly Russia, is characterized by a higher level of sophistication and are very effective at evading detection, Rachwald noted. Malware from China typically wage high frequency, brute-force attacks against a range of targets, he added. 

In the Middle East, there is "creativity" in methods of infection, he pointed out, noting when banks in Israel were attacked last year for instance, the malware had set traps so users would unwittingly get compromised.

However, he pointed out attribution to malware was not key in combating cybercrime because it did little to improve the state of security and most attribution took a long time and may not be accurate.

Rachwald cited a FireEye study in 2012, where more than 12 million callbacks or malware communications seeking instructions, which found 88 percent of intra-country callbacks came from Japan while 80 percent came from South Korea.

Both East Asian countries are known for its government's strong advocacy strong IT security and defenses so it is "obvious" control and command (C&C) servers were set up in the countries by cybercriminals and they had been using these countries to set up IP addresses .

Even in China, which has a "dramatic" influence on other people, where 89 percent of cyberattacks are associated with advanced persistent threat (APT) tools made by hacker groups in China, the industry cannot "say for certain 100 percent of attacks come from the country", he noted.

Moving forward, with the proliferation of cyberespionage in Asia-Pacific where the economy is growing fast and many patents being filed, the security industry should not place so much focus on attribution of nation states because it not only affects international relations but also does little to improve the state of security, Rachwald advised.  

Instead the industry should focus on security innovations around mobile devices, social media and cloud because cybercriminals will perpetrate malware through these mobile devices, he said.

Show Comments