New Approach Needed to Counter Malicious Software

By Robert Johnston
For the better part of a decade, network security has been overly focused on perimeter defenses. This has triggered a change in nation-level techniques for launching cyber-attacks. 

The traditional concept of a “secure network strategy” hinges on the sophistication and monetary investment in technical countermeasures placed at network boundaries. Similar to physical, outward-facing protections at military installations such as sentry posts, these defensive technologies reside at the external boundaries of networks.

Shoring up external walls and “digging the moat” are believed to keep occupants safe and attackers out. But this methodology typically leaves internal networks “soft” and vulnerable to attack as an unintended consequence of a perimeter security strategy.

Modern cyber-attacks capitalize on a focused enemy, attacking where least expected. Millions of dollars in government research-and-development funding and startup technology companies have focused their business models on developing next-generation perimeter defenses. Companies market their next-generation firewalls that enforce network security policies that are based on applications, users and content.

Individual computer systems, however, are usually left to defend themselves with nothing more than common anti-virus solutions. Anti-virus software has repeatedly proven itself inadequate in defending against a moderately skilled attacker, let alone a nation-state. This sort of topology is commonly called the “M&M” architecture, which is a play on words describing the external hard candy shell (the network perimeter) protecting the soft gooey center (the vulnerable internal network).

The question is what are attackers really doing.

Autonomous logic is software that is capable of independently achieving a specific function without needing to receive further guidance or direction via instructions from an operator. This intelligent software relies on its ability to learn from the environment on its own, thereby overcoming obstacles independently. In this scenario, an adversary needs to bypass the perimeter defenses only once, at which point the software’s autonomous logic takes control, fortifying and expanding throughout the internal network. 

Cisco Systems defines a computer worm as “similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage.” In contrast to viruses, which require the spreading of an infected host file, worms are stand-alone software and do not require a host program or human help to propagate. To spread, worms either exploit vulnerabilities on the target system or use social engineering to trick users into executing them.

A worm enters a computer through a vulnerability in the system and takes advantage of file- or information-transport features, allowing it to travel unaided. Many nation-state cyber-attacks are a product of today’s security architectures.

A major advantage to autonomous logic worms is the minimization of collateral damage while maintaining the ability to have mass effects. Stuxnet is a perfect example of this characteristic. The Stuxnet worm was programmed with such detail that it was designed to only destroy specific Iranian centrifuge hardware and software located in the Natanz nuclear production facility.

Few observers realize that Stuxnet is still an ongoing problem that infects systems every day. Using a multitude of methods, Stuxnet searches cyberspace for an environment that is configured to the specifications of the Natanz facility. If it stumbles upon a host that doesn’t meet the specific configuration, the worm does nothing. 

On March 20, 2012, South Korea was hit by a nation-state sponsored cyber-attack that led to the theft of intellectual property and sensitive government and financial data, in addition to the destruction of tens of thousands of information systems across South Korean industrial sectors. McAfee stated that its analysis of this attack — known first as Dark Seoul and now as Operation Troy — revealed that in addition to the data losses of the “master boot record wiping,” the incident was more than cybervandalism. The attacks on South Korean targets were actually the conclusion of a covert espionage campaign that had lasted five years. 

Why did this crime go undetected for so long? Autonomous logic was a major catalyst in what has been attributed to a North Korean state-sponsored attack. The remote backdoor that attackers used to communicate and eventually destroy information systems was specifically designed, upon execution, to automatically hide itself from security countermeasures, gather details about the environment, locate and exfiltrate sensitive documents, spread to other computer systems and position itself for delivery of a destructive piece of software that would leave networks in shambles.

In August 2012 the Shamoon virus destroyed more than 30,000 information systems belonging to Saudi Arabian oil giant Saudi Aramco. A Symantec technical report said the initial infection vector was unconfirmed, but once W32.Disttrack (Shamoon) was inside a network, it would attempt to spread to every computer within the local area network through network shares. While the virus may piggyback on existing machine-to-machine credentials, typically Shamoon attackers have gained access to domain credentials and the domain controller itself, allowing them access to all computers on the local domain.

These specialized worms are becoming the preferred attack vectors. Stuxnet, Flame and Conficker are all perfect examples of using autonomous logic to bypass perimeter security and remain undetected by users or network administrators.

In November 2013, a Defense Department research-and-development team designed a simple piece of autonomous logic that could replicate throughout a network, collect credentials and sensitive data, and, when finished, deny the use of that computer system to all potential users. Even when removed from an infected system, its logic routines informed computers elsewhere on the network of its existence, and triggered a command to re-attack the healthy host. 

This program was developed by bundling open-source software currently available on the Internet. The worm can travel throughout the network looking for any connections or neighbors it might be able to infect. Once targets are discovered, it uses an ever-growing list of compromised passwords to gain access and infect the neighbor host, causing it to run through the same toxic logic routines. Once complete, the worm destroys the system by changing all known passwords, filling the hard drive to complete capacity, over-clocking system memory thus bringing it to a halt, and finally putting the computer in an infinite loop of the infamous Windows “blue screen of death.” The worm even proved able to jump networks that were segregated by encryption.

Things could be done differently. Cyberwarfare occurs at the individual endpoints, not necessarily the network perimeter. In order to combat this trend, networks need to be segmented at the lowest possible level, and cross-segment communications should be closely monitored. Most importantly, dynamic defensive capabilities at the endpoints need to be technically precise, agile and flexible.

Methods to combat cyber-attacks, like the use of open indicators of compromise (IOC), should be as flexible as possible. Open IOCs are a concatenation of many forensic elements. Conceptually, IOCs need to do three things: identify only adversary activity, be inexpensive for defensive forces to research and develop and be expensive for the adversary to evade.  The attacker would have to drastically change his tactics, tools or approach, making the targeted network an undesirable or impossible system to breach. There are few places in an information system where an adversary can hide.  In this game, organizations with the most flexible tactics win.

For organizations without an in-house intelligence collection operation, crowdsourced intelligence can be a huge benefit. Companies like IOC Bucket LLC provide organizations ways to secure their endpoints by using a crowdsourced method. The company holds the largest online database of open indicators of compromise on the web. It maintains IOCs for notable autonomous logic worms like Stuxnet, Flame and Conficker as well as provides indicators of compromise for novel threats like the Zeus Gameover, Cridex and Shylock Trojans that have been plaguing the financial sector.

As National Defense Magazine reported in a recent blog, titled “Fearful of Cyber-attacks, Military Tightens Control Over Data Networks,” the current thinking is that by “minimizing the number of points of entry into the military’s data networks, systems can be better defended.” What method would an adversary take in order to strike a U.S. military network?

The answer: bypassing the network perimeter and relying on software’s organic logic to fulfill its purpose. There are endless examples of this tactic being used during every major cyberstrike over the past five years.

In order to compete with new and emerging threats, security architectures must be compartmentalized and dynamic defensive capabilities introduced.  Autonomous logic is the threat. Most networks are not prepared for such an attack and the reduction of points of entry means decreased compartmentalization and an increase in internal attack surfaces that are vulnerable to autonomous logic.

Robert Johnston is a network security professional. He can be reached at

Topics: Cyber, Cybersecurity, Science and Engineering Technology

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.