Discovering an old Flame

26 Jun 2012

Computer malware programmes only take on a name and a personality after they have been discovered. These are bestowed by the IT security industry, our would-be defenders. Before this, malware is anonymous and unknown, just the way the perpetrators want it.
 
Such was the case with Flame, whose discovery was announced a few weeks ago and about which much has been written. Being unnamed, however, does not mean unseen. Bit9, a security vendor, whose protection is based on blocking files with no – or suspect – reputation from running (blacklisting or grey-listing, see previous Quocirca post here), checked its records and found it had been blocking a single instance of what we now call Flame eight months before it was named.
 
The instance was at a commercial customer in the Middle Eastern country (a “friendly” country, by definition to be a Bit9 customer is must be, as it is US vendor and subject to export restrictions). The attack was persistent, sometimes daily, and targeted at a single end user Windows PC. The malware ran with admin rights, which the PC’s user did not have, probably gaining access via a Windows’ vulnerability. Bit9 says no information was stolen because it stopped it on all occasions. Well done Bit9.

It strikes Quocirca that alongside file reputation there are two other ways the attack could have been thwarted before it was known.
 
The first focussed on the fact that it needed admin rights to be effective. The granting, management and on-going use of admin rights on Windows devices is usually poorly managed. It need not be, with the right tools in place, admin activity can be limited and audited and Flame may not have been able to run anyway or soon spotted. Such tools are provided by vendors such as BeyondTrust, Avecto and Viewfinity.
 
Second, some IT security vendors, such as LogRhythm, McAfee and Red Lambda, which have traditionally focussed on audit through security information and event management (SIEM), are now talking about next generation SIEM (NG-SIEM). Here, their tools are used in real time to make advanced correlations and spot strange activity. So, even if the malware had not been blocked based on reputation and admin rights were not controlled, the communication with a suspicious IP address, and regular running of an unusual file at a strange time of day would soon raise the red flag.
 
File reputation, Windows admin rights, NG-SIEM – these are all advanced security practices that business should be considering as they heed reports such as that issued by the UK’s MI5 this morning; “MI5 fighting 'astonishing' level of cyber-attacks”. They are not alternative measures but form part of a multi-layered approach to IT security that is the only way to stand a chance in the increasingly threatening cyber-space.
 
Bob Tarzey, Analyst and Director, Quocirca

blog comments powered by Disqus