Black Hat is one of the leading conferences for security researchers. Having been a security researcher in the AV and IPS industry for a considerable amount of time, I want to share my observations related to some of the research in malware presented at BH.
"File Disinfection Framework: Striking Back at Polymorphic Viruses." The research was presented by Reversing Labs. They presented an open source cross-platform x86-x64 library that enables its user to unpack, disinfect, and build PE32/PE32+ files. The framework also has an x86 emulator written from scratch, which supports multiple processes in parallel windows object such as handles, mutex, and environment. It also provides tools that can aid in writing disinfection routines such as automatic binary profiling with search for the presence and location of the virus stub.
"Scientific But Not Academic Study of Malware Anti-Debugging, Anti-Disassembly, and Anti-Virtualization Technologies." This research was presented by Qualys Labs. They cataloged the common evasion techniques malware authors employ, applying over 50 different static detections, combined with a few dynamic ones for completeness. They divided the protection mechanism into three different categories: anti-disassembly, anti-debugging, and anti-virtualization technique. For these techniques they provide the methodology used to detect it.
"Flowers for Automated Analysis." In this talk the researchers from GTISC claimed that the techniques widely adopted by malware authors can make automated malware analysis ineffective and unscalable. They propose that malware can be designed to fail to execute correctly on any environment other than the originally infected one. They presented the case of Flashback malware which was using infected system’s hardware UUID as a decryption key.
"DE MYSTERIIS DOM JOBSVIS: Mac EFI Rootkits." The talk discussed the current state of EFI-based malware and its implementation in order to attack Apple Mac systems. Later in the talk they also presented the defenses which can be taken against this kind of attack. For example, Apple has implemented password protection on the BDS phase of the EFI firmware. This will be helpful in cases where the attacker has gained physical access to the system and can interfere with the boot process.
"Intrusion Detection Along the Kill Chain: Why Your Detection System Sucks and What To Do About It." This research was presented by a researcher from Facebook. Typically IDS/IPS can generate a considerable amount of alerts. Digging into a large amount of alerts can be a time-consuming process. This talk discusses correlating the events which in turn can aid in reducing the noise by IDS.
Findings shared by the information security research at BH are definitely valuable contributions to information security. However, I noticed that in security research we have taken a bottom-up approach. We find malware, vulnerabilities, sand box breaches, or exploits, which appear fascinating to us, so we research them, build tools for them, and talk about them. However, it is time that we take a top-down approach. We should basically first understand the critical threats we are facing today. Critical threats we are facing today are limited editions threats such as Flame which went undetected and had significant impact on critical infrastructure, or a special edition threat, which will execute only once, target only one high profile individual, and compromise invaluable information of an organization. After we understand limited edition and special edition threats, which can to bring a company or critical infrastructure to its knees, then we should answer the question: “Will the research, tools, or the product we built secure our critical infrastructure or our companies?