sb-au logo
Story image

Interview: Diving Into the malware abyss with LogRhythm's Erika Noerenberg

23 Apr 2018

Reverse engineering malware is a job that’s never the same from one day to the next – much like the evolution of malware itself. Even when it’s malware from a variant that already exists, chances are they aren’t identical.

That’s what LogRhythm Threat Research Group’s senior malware analyst and reverse engineer Erika Noerenberg loves about her job, but there much more to it.

SecurityBrief talked with Erika about common themes surrounding vulnerability exploitation, malware, and the Internet of Things (IoT).

Broadly speaking, what do you see as the top challenges in the threat landscape at the moment?

Threat actors are constantly changing and evolving their exploitation and delivery techniques which presents a challenge. However, many older and often-used techniques continue to succeed due to lack of user education, difficulty patching critical systems, and poor security infrastructure (and lack of resources to improve security posture). These challenges are more critical to address than playing "whack-a-mole" with each exploit or threat as they come along. 

There’s a widely believed mantra that most new vulnerabilities and exploits are actually old ones that have found new use cases. From what you have seen, is this accurate and how many vulnerabilities are truly ‘new’?

Although many exploits and vulnerabilities follow the same methodologies (buffer overflows, race conditions, unsanitised inputs, etc.), recently the Meltdown and Spectre flaws affecting most CPU hardware utilised a technique that hadn't been publicly released before.

This side-channel attack took advantage of a processing optimisation called "speculative execution" in order to access memory regions that should not be accessible from an unprivileged process. 

How are both the ‘new’ and re-worked vulnerabilities being used to build destructive malware?

For Meltdown and Spectre, proof-of-concept code has been seen in the wild, but no fully functional malware is known at this time.

Other vulnerabilities continue to be re-used by attackers to perform an initial exploit of a system, but they repackage these exploits using different delivery methods, persistence mechanisms, and command and control (C2) functionality.

The topic of botnets, spying, and cyber attacks affecting IoT devices is becoming more important, particularly as enterprises start to make full use of IoT capabilities.

Are there any particular threats you can think of that really drive home the nature of IoT vulnerabilities?

IoT vulnerabilities are particularly insidious because many users do not realise the dangers of introducing these devices to their networks. When it comes to critical infrastructure environments especially, any IoT or BYOD devices should be carefully evaluated and segregated from production environments.

The increasing use of network connectivity (WiFi, Bluetooth, etc.) in medical devices is also concerning. Attacks against pacemakers, insulin pumps, and other patient devices can have fatal consequences. Furthermore, many medical devices used in hospitals run older operating systems that are still vulnerable to older exploits.

These devices often cannot be easily patched (if at all), have network functionality, and are on the same network as other hospital equipment. This creates an easy entry point for attackers who can use these devices to spread ransomware, exfiltrate patient data, or tamper with other medical devices on the network. 

For a while the argument was that manufacturers and product designers need to take more responsibility for the security of the devices they create. Are those manufacturers now sitting up and taking notice?

While vulnerabilities and exploits of IoT are gaining more publicity, many manufacturers don't have much incentive to change their processes if there are no real consequences for exploitation of their devices. Until consumers start valuing security over the cost of these devices, insecure/vulnerable devices will continue to be produced.

Do you have any advice for enterprises that are thinking of deploying IoT and what security controls they should consider?

IoT devices should be carefully evaluated before being introduced into any environment and heavily segregated from any critical infrastructure.

Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Link image
Revealed: The pros and cons of leading cloud security vendors
Determining which edge and cloud security vendor is the right fit for your organisation can be challenging. Here's the guide for evaluating the leading enterprise solutions.More
Link image
Why it's crucial to normalise proper security training for remote working
Knowing and implementing best practices for remote security can save money, time and headaches. It starts with a quality solution to safeguard the workforce.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Fast track your digital transformation with dynamic security services from Fortinet
Jon McGettigan, Fortinet A/NZ Regional Director, explains how enterprises can speed up their network service delivery programmes by embracing Fortinet’s dynamic security services.More