On the front line of the fight against malware

SophosLabs' researchers spend their days trying to understand, and counter, emerging security threats

The IT security landscape has changed dramatically since the early days of hackers interested in unauthorised exploration of computer systems and relatively light-hearted, just-for-the-hell-of-it viruses like Stoned.

The explosion in the number software-controlled devices – from PCs, to mobile phones to industrial control systems – and the growth of networks that connect these devices – most notably the Internet – means the media in which malicious programs can operate and propagate has expanded.

And it's also meant that there is a lot of money, both at stake and to be made. What Bruce Sterling described as the 'End of the Amateurs' in his 1992 classic, The Hacker Crackdown: Law and Disorder on the Electronic Frontier, has led to the growth of whole new industries.

On the one hand, cyber-crime – from spam, to phishing, to computer-based industrial espionage – has come into its own as a genuine industry. While the amount of money that, say, spammers make from flooding inboxes is difficult to assess, a report issued by the Washington DC-based Center for Strategic and International Studies in July this year had a stab at estimating the cost of cyber-crime to the global economy.

The Economic Impact of Cybercrime and Cyber Espionage put the cost at 0.4 per cent to 1.4 per cent of global GDP; that is, between US$300 billion and $1 trillion.

On the other hand, dissecting the modern day descendants of software like the WANK worm has spawned a second industry: The army of cyber-security pros whose job it is to stay one step ahead of a fast moving threat landscape – or, at least, try to. The pace of malware development has accelerated dramatically, compared to what could be dubbed the 'Stoned age'.

"When the malware industry started up there were a few pieces of malware around – in the tens, twenties, thirties," says Simon Reed, vice-president of SophosLabs, the research and threat analysis arm of security vendor Sophos.

In the now dim-seeming past before malware development had come into its own as a serious money-making venture, security researchers had the luxury of time. "The speed of development was very slow," Reed says.

Most infections were not likely to occur over a network or the Internet; instead most malware would propagate via storage media, typically floppy disks (though to be fair, there are some noteworthy examples of contemporary malware whose payload has been designed to be delivered through offline storage).

In those days, "malware got delivered into the lab, and there was a group of people that would all stare at it, then go home, then stare at it again," Reed says.

"And after five days, they might write some detection and test it the next day, test it again the next day, and at the end of the month it gets burned on CDs or floppy disks and gets sent out."

"It's not like that anymore," the security researcher adds. "The volume is just exponential."

Coping with the explosion in the amount of malware has obvious implications for how security companies respond. Pushing the limits of what's possible with automation is key, Reed says.

"A lot of our focus, and I'd actually say the largest part of my role, is figuring out with my teams of analysts and systems developers how to bring automation into play," he explains.

"How you can, not focus on one particular piece of malware, but focus at classes of malware and then put systems in place that respond... A lot of our work is around systems, automated processing and automatic delivery of protection to customers. That's really the essence of what the lab does."

"When the analysts are not on the front line, the focus is malware research – looking at current and future threats, understanding them and developing responses to that class of threat, whether it be malware, whether it be on PC, Mac, Android etc. Or whether it is a Web threat," says Reed. "The goal of that aspect of the labs is 'zero day detection'."

SophosLabs has teams in Oxford in the UK, where Reed is based, Vancouver in Canada, Budapest in Hungary, and Sydney, Australia. The network of labs has a 'follow-the-sun' model: One of the labs is always active and monitoring malware activity, through reports from customers, through telemetry and through partner organisations.

"Malware doesn't know business hours, and with the global nature of the Internet and threats, these sort of things can bubble up at any time," Reed says.

In addition to researchers being organised by the office they work out of, SophosLabs has 'tiger teams' of researchers that are based around a particular area of computer security rather than geographically.

"There have been occasions where during [a big outbreak] I've worked with people in two other labs at the same time," says Sean McDonald, who leads the Sydney branch of SophosLabs

"There is a certain level of being 'on call' when you work in the security industry. I'm happy to say it's been a while since that's happened. But there is that notion that if stuff really needs to be done, then people can come back in [to the lab] and help out."

McDonald says that the follow-the-sun model means that a day at the Sydney office starts with a handover process from the Vancouver lab. "They hand over the baton," he says.

"We have an electronic process to record that information so it's not lost that all labs can view at any one point in time, so when we get in, we look at what we call the handover. There is still that overlap between our lab and the Vancouver lab, such that if you really need to talk about something there are still plenty of people around."

Even after a handover, there is still some overlap between any two labs in the network. "There are still people hanging around to help over if need be," says McDonald.

"We've got a number of projects running at any one point in time. There's always things to be handed over in terms of updating progress for different things. We have tiger teams around the world, looking at rootkits for instance.

"There's not rootkit research only in the UK, for instance – there's going to be some in the UK, some in Vancouver, some in Australia and some in Budapest, and those researchers might form together to combine their brain power to solve problems."

On a typical day, which itself is a slightly abstract concept for the SophosLab teams says McDonald, the Sydney team gets in, takes a look at the handover data and then splits up to work on different areas.

"Some people are going to be looking at the front-line sort of stuff, and they'll be looking at what's going on in our customer world, making sure everything's been dealt, with make sure there are no escalations – make sure they don't need to ring any bells," McDonald says.

Other people in the team will work on ongoing research projects. "So with me and a lot of people in my team, we work in the Android space. We'll pick up where our tiger team colleagues have left off and continue on with the research that we're doing.

"Sometimes that research can be a day task, a two-day task. Sometimes it's going to be planning well into the future – as you can imagine the threat landscape's going to change. If we don't prepare somewhat for that change obviously we'll be caught flat-footed."

Near the end of the day a call goes out to researchers that the handover to the next lab in SophosLabs' network is about to be sent. "After that, realistically our front line work is done for the day and the folks doing that will probably get back onto the tiger team research," says McDonald. "Some of that can be looking at a threat that actually came in that day." For example, a particularly novel-seeming piece of malware.

"I might have already [reverse engineered the sample] to understand it, but then what I might do is write some routines to gather some telemetry to see how big a problem it might be. Sometimes a novel threat is not-so-novel as it turns out, and we don't see too much of it any more. Sometimes it's the start of something bigger."

With the labs' work "there's lots of smaller cogs," McDonald explains. "There's bigger cogs that take a long time to turn. Then there's lots of smaller ones that we have to do to turn that bigger cog as well, to actually make sure we look after immediate concerns, medium-term concerns and long-term concerns."

Join the newsletter!

Error: Please check your email address.

Tags security

More about SophosSterling

Show Comments

Market Place

[]