How malware writers' laziness is helping one startup predict attacks before they even happen
Biblical-style prophecy may be a thing of the past, but Israeli security startup CyActive is developing technology that can predict what exploits malware writers are going to come up with next, allowing developers to come up with a way of mitigating the attacks — even before the malware agent behind it is even created.
The technology, which CyActive has been working for about a year, is garnering attention in the enterprise — to the extent that the company announced several weeks ago that it had received a "substantial strategic investment" from the venture capital Unit of Siemens. CyActive didn't say how much it got, but Ralf Schnell, CEO of the Siemens' unit, said that he was "particularly excited" by CyActive's approach "to securing industrial and utilities assets. CyActive’s founders are leaders in the field and the company’s unprecedented cyber security technology turns the economic equation in favour of the defender".
Abetting CyActive in its prophetic efforts are the technical limitations of malware writing — or, some would say, the laziness of the malware writers themselves. According to CyActive CEO Leron Tancman, malware — like legitimate software — is often derivative, and even advanced attacks have the same core components as earlier versions.
"You can see very clearly what the 'kill chain of exploitation' is, the methods hackers are using now and the variants they are likely to use," Tancman said. "Even the major attacks of recent years, such as Flame, Stuxnet, and others, use a similar core."
Two recent high-profile attacks provide a good example of the phenomenon, Tancman said. According to a CyActive analysis, the attackers who hit US chain Target last December used malware called BlackPoS (aka Kaptoxa) for a point of sale malware attack that compromised the credit card information of millions of customers.
But BlackPoS came back for an encore, said CyActive, when a variant reusing a number of code pieces and methods seen in other malware was unleashed on another chain, Home Depot. A blogpost by CyActive lists many similarities between the components, activities, and methods of both attacks, and concludes that the Home Depot malware was basically a remix of other previously used malware components attached to BlackPOS in order to make it appear new.
But it wasn't new, Tancman said, in the sense that nearly all the components and the defences against them were well-known in the security community.
"It's not fair for me to comment on this specific instance, but I believe that we would have been able to predict the new BlackPoS variant if we had been able to analyse the original one. That's what our technology does, very effectively. In 20 minutes we can predict 10,000 variants of a particular piece of malware, allowing for the development of defences against them."
CyActive, Tancman said, changes the equation in the online security war. "Security is reactive, and as we have seen over and over, the hackers just need to make slight adjustments to their code in order to wreak havoc on the enterprise, which over and over has to spend millions to mitigate the threats.
"There is an economic imbalance, and there shouldn't be, because so much of malware is derivative. Well, cyber-defence can be derivative too, and that changes the balance of power in favor of the defenders."
Siemens sees the system's value especially for SCADA and other long-life systems used in critical infrastructure that need to be protected. "CyActive offers the opportunity to change the model of Industrial Control Systems (ICS) security from a reactive model to a proactive model," said Rajiv Sivaraman, global head of Siemens Plant Security Services. "This achievement addresses the long life cycles within ICS for critical legacy devices."
"We are thrilled by this vote of confidence from Siemens, global leader in industrial and utilities markets," Tancman said. "The investment recognizes the need for industrial and CIP technologies that tackle the toughest security challenges. We look forward to expanding CyActive's ability to protect the world's most critical assets."