Sifting strains to understand the threat of military targeted malware

6 December 2017 (Last Updated December 6th, 2017 15:12)

Hackers are deploying machine learning techniques to create malware that constantly changes to avoid detection, and future malware strains could – it has been suggested – even develop sentient properties to keep them one step ahead. Claire Apthorp spoke to Airbus Cyber Security to find out more about the recent strains of malware they’ve been dealing with, and to hear how the threat to communications infrastructure is harming military readiness.

Sifting strains to understand the threat of military targeted malware
A computer graphic image (CGI) of the MoD Badge illustrated within an Information Technology circuit bard. Credit MoD.

Governments, military forces and critical national infrastructure organisations typically deal with some of the most sophisticated cyber threats in use today. These cyber threats continue to grow in sophistication and automation, with attackers ranging from highly skilled and motivated organisations, including nation states, or individuals to less skilled attackers using hacking toolkits and frameworks purchased online.

Attempting to characterise the current cyber threat is a difficult task as the attackers, tools and style of attack is continuously evolving. For one thing, the line between nation state and lower-level cyber criminals is becoming increasing blurred – in some instances cyber criminals are mimicking the tools and techniques used by nation states. Following the Shadow Brokers leak of NSA hacking tools earlier this year, nation-level power tools are now available to anyone wishing to download them. At the same time, lower level sophistication disruptive and destructive attack techniques are increasingly being explored by nation states, according to the National Cyber Security Centre 2017 Annual Review.

The result of this endless shape-shifting is blended attacks that take a best-of-breed approach, combined with advanced detection evasion techniques. Taken together, they present a considerable global threat.

Shape shifters

Meanwhile, malware continues to evolve, and methods of evading detection have kept pace with the sophistication of the malware itself.

“Polymorphic malware is code engineered with the ability to transform from its original form every time it is executed to evade detection,” says head of Airbus CyberSecurity’s UK Security Operations Centre Lloyd Rush. “Its unique, changing characteristics include file names, types, or encryption keys making the malware less identifiable and harder to detect.

“Techniques like this have caused an explosion in the volume of malware in circulation, with more than 390,000 new variations of malware being detected every day.  These techniques have also made malware much more successful, and it is currently thought that 97 per cent of successful malware infections now deploy polymorphic techniques.”

Underlining this threat is a chronic lack of end-user education, with many organisations failing to implement and communicate the need for good cyber security hygiene across their networks and employee habits.

In order to handle this challenge, service providers are increasingly being used to manage the networks of high-risk networks. Airbus CyberSecurity runs one of the UK Ministry of Defence’s federated Security Operations Centres (SOC) as a Managed Service Provider reporting into the Authorities Computer Emergency Response Team Coordination Centre.  The Airbus SOC provides protective monitoring of the Defence Information Infrastructure as part of the ATLAS consortium. This position gives the Airbus SOC a firm understanding of what the newest generation of malware threats look like, and how they are evolving.

“Memory threat injection and malware variants that evade whitelisting tools that percolate upwards are among the top emerging threats or malware families,” Rush explains.

“For example, Fileless attacks continue ‘living off the land’ by using common administration tooling that is built into operating systems in order to avoid detection, or exploit the full use of the native automation to deploy software updates effectively and without interaction, nor impact to the end user experience.”

Unconventional security

Here, lack of agility in large organisations to deploy mitigating controls or uplift vulnerable operating systems exposes new, or increases existing, residual risk.

“Typically the approach for defending against these threats would include a range of detection tools taking Indicator of Compromise feeds and more generic triggers,” Rush said. “Such tooling is presented at differing layers or segments of the organisation to identify any activity that aligns to known triggers, from perimeter to endpoint devices.”

But the use of polymorphic engines by attackers to mutate malware code while keeping the original malware code intact enables the malware to evade detection by traditional security software.

“Attackers typically use machine learning to judge the effectiveness of campaigns and thus adjust attack strategy, be that evaluating evasion or social engineering techniques and potential success rates,” said Rush. “Each failure to the attacker comes at expense of further development and adds to the defender’s indicators of compromise (IoC) and threat intelligence data sets.

“Typically machine learning used to create malware has constrained parameters and variables set out by the source coder that mostly require code originator interactions to change the payload. One could suggest machine learning in automatous creation of malware is currently limited but it would be reasonable to assume there is considerable application when assessing the predictive modelling of a high value malware campaign.”

The challenge here is that conventional wisdom on malware protection has been to invest in preventative solutions like antivirus, firewalls and Intrusion Prevention Systems that work by searching for specific and recognisable elements of code. As a result, conventional protective tooling needs to up its game.

“Automated defences can respond to these malware threats in terms of keeping up with the speed at which they are created, but true success depends on strategic insight as well as speed of response, so the most effective defence requires both machine learning-led programmes as well as human expertise,” Rush said. “Here, behavioural analytics and normalisation ranging from the end user to network telemetry can be baselined and combined with IoC and other identifiers stemming from cyber threat intelligence to deliver actionable intelligence that builds effective preventive or detection methods.”

The future is intelligent

As to how the threat will develop in the future, the current signifiers point toward artificial intelligence (AI). AI-enabled cyberattacks have the potential to cause an explosion of network penetrations, personal data thefts, and a significant spread of intelligent computer viruses. Rush’s advice here is for security teams, business leaders and politicians to familiarise themselves with the cutting edge of AI safety and security research in order to understand the potential impact.

“There is already some good security research being done in this area,” he said. “Algorithms are able to learn from and make predictions about previously unseen data based on exposure to large ‘training’ data sets, allowing them to characterise malicious code, find patterns and group related samples together – and every new sample improves detection rates, raising the cost to the attacker.”

There is no doubt that the Internet and cyberspace are going to figure strongly in the battlefield of the future, and many governments are already working to gain an advantage here and develop a strong security posture. But when it comes to infrastructure and strategy, Rush argues that we need to look beyond the military machine and focus on having a cyber secure environment within each function of society and the economy.

“This is because tomorrow’s cyber warfare could target not just military infrastructure but our broader society, with attacks seeking to disrupt our critical national infrastructure, banks or industries,” he said. “There will always be people trying to corrupt and bend the Internet to their needs. But across all sectors, in military and commerce, people are becoming more aware of the threats involved, which is a vital first step. So I have great optimism for the future.”