Catch Up Or ‘Swat Flies’: Cyber Security Expert Touts AI, ML

'TF7 Radio' Explains Router Botnet, SOAR Technology



Dan Gunderman
06/05/2018

Last month, a botnet morphed into to a potential national security concern. Separately, orchestration and automation have continued to shake up the security landscape. In his most recent episode, “Task Force 7 Radio” host, George Rettas, tackled these topics, and more.

Rettas was joined by DFLabs Senior Product Manager, John Moran, who discussed all facets of security orchestration, automation and response (SOAR) technology.

To begin the show, however, Rettas discussed the VPNFilter malware strain affecting small office and home office (SOHO) routers. The result is a botnet wielding hundreds of thousands of devices believed to be operated by a Russian hacking group, often called Fancy Bear

DOJ Insight

Rettas said that on May 25, the FBI released a statement warning U.S. citizens to reset their routers, to defeat an advanced persistent threat (APT). Foreign cyber actors compromised scores of routers using the VPNFilter malware, which renders the devices inoperable. They recommended owners reboot as soon as possible, to disrupt the malware.

On a reboot, short-term memory on the router is lost, and many experts believe no malware strain can survive the reset on an Internet of Things (IoT) device. Rettas then used the guidance to outline three phases of the attack: finding vulnerable routers for a landing pad/command and control server (C&C), hackers delivering more of their malicious payload to the network and “bricking” the device, and lastly, nefarious conduct (plugins, access to the Tor Network, etc.).

Rettas said just rebooting the router won’t work – to disable the malware. He said the FBI statement may not have had the desired effect because they’re “holding things close to the vest.”

See Related: The Quantum Revolution, Plus The Trump Admin. Banishes Cyber Czar

However, Rettas commented on a Department of Justice (DOJ) statement which laid out the VPNFilter a bit more. The operation against the botnet was described as the first step in disrupting the botnet that provides Fancy Bear actors with an array of capabilities. A court-ordered seizure of a known domain used by malicious actors in the campaign became a critical step in minimizing the effects of the attack. It allows the FBI to identity and expose responsible hackers.

The “TF7 Radio” host said the malware targets SOHO routers and uses stages to infect them; the first stage persists through a reboot. The U.S. Attorney’s Office for the Western District of Pennsylvania obtained court orders authorizing the FBI to seize a domain that was a part of the C&C infrastructure.

Rettas said that’s what the FBI wasn’t telling you in its statement. “The FBI seized (devices) that were a part of the C&C network for the bad guys,” Rettas said. “When the infected device phones home after a reboot, the good guys at the FBI will see it. This is key, so after the reboot, when the initial malware persists and tries to re-infect the router, and calls home to the C&C, it’ll be to the FBI, which then captures the IP address. It uses a nonprofit organization called Shadow Server Foundation to disseminate IP addresses to those who can assist with remediation.”


‘Swatting Flies’

In the next segment, Rettas was joined by DFLabs’ Moran. Commenting on enterprise security challenges, Moran said, “One of the biggest challenges I observe is organizations really getting stretched, and forced to do more with less. More alerts, an increased workload on the staff – everybody is maxed out and dealing with security alerts and events coming in. They have a limited budget, and are forced to do more with what they can get. They’re forced to get additional value out of the security program without spending more money.”

He also said a challenge is the cost of security incidents. Moran said: “Attacks are more sophisticated, more damaging, and that equates to increased financial costs as well as reputational costs to the organization.” One goal on the organizational level, he said, remains reducing mean time to detect and respond to security incidents.

Asked what the root cause of all these challenges is, the DFLabs senior product manager said, “I don’t think it’s that attacks are getting easier. As a security industry, we’ve done a good job of trying to harden our attack surface. The bottom line is that we’re trying to swat away flies. It’s not working, and we’re not keeping pace with the attackers.”

Moran said every time a detection mechanism is developed, a way to bypass it surfaces almost immediately.

See Related: Palo Alto Networks CSO Talks Risk Metrics, Algorithms & Automation

“I don’t think it’s necessarily a failure of technology, so much as processes and using technology to its most efficient. Most attackers, a majority of them, are financially driven.” He said monetization is driving these persistent campaigns.

In order to remediate these issues plaguing the industry, will things first decline? Moran said, “I don’t think it is all ‘doom and gloom.’ It (may get) worse before it gets better. We still have a ways to go as an industry, in the methods and tools we use. But at the same time, I think we have gotten better in some of our methods. It’s just that attackers are still getting better faster.”

To eliminate some of the problems with the workforce – mainly in terms of strength – Moran said, “We need to find ways to effectively use the skilled analysts we have… (We must) utilize their talents so they are not bogged down with mundane stuff – the predictable, repeatable tasks. That’s where automation can be a force multiplier when we talk about the gap in talented analysts.”

Automation as a ‘Force Multiplier’

Can automation be a game-changer? Moran seems to think so, if it’s implemented justly. The “TF7 Radio” guest said, “Organizations stumble when they don’t’ look at automation as an enabler, but as a replacement for their staff. We’re not there, that’s the wrong approach. If organizations approach automation with that replacement mentality, they (likely) won’t see the results they’re hoping to achieve.”

The product manager also seemed to think that while automation will elevate the effectiveness and efficacy of the security operation, it will not come with pink slips for the human practitioners, at least not in the short term.

“I don’t think we’re near a point where we need to worry about AI taking over jobs and putting us all out of work,” Moran said. “There’s certainly plenty of work to go around. A smart use of automation is in the support of staff, and taking advantage of the skills they have and allowing automation to take over repeatable processes…”

In the show’s final segment, the product manager also said that there are a few times when implementing SOAR technology could prove fruitful, especially once maturity has reached a level where operations may be heightened. He said that once you have the tools and processes in place, plus the technology and knowledge, automated functions can effectively elevate your program.

Overall, it appears enterprises are vying for reduced mean time to detect – and that’s a layered comment with different approaches and processes. But to preside over an effective security operation, automation and orchestration (a sort of consolidation of disparate tools for better use) cannot be ignored.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Be sure to connect with Moran, here.


Be Sure To Check Out: Cyber Security Expert Breaks Down The EU's Sweeping Answer To InfoSec: GDPR