It’s said there are two groups of organizations – those that have been hacked and those that are going to be hacked. Or as a later version would have it for the second group, those that have been hacked but don’t know about it yet.
With as many as 500,000 new malwares daily, it is little wonder that there is a degree of complacency towards cyber security. But that could change with an ingenious solution from the Israeli cyber security start-up CyActive.
Creating new malware
In an interview with Engerati at the Smart Energy UK & Europe Summit 2015, Danny Lev, CyActive’s chief marketing officer, explained the background: “When an organization experiences an attack, a security measure is placed in order to block it. However, the hacker can then simply make a slight modification to the original code to evade the security measures. These variants form a never-ending cat and mouse game between hackers and defenders. When you look at the APT (advanced persistent threat) level, you’ll find there has never been an attack chain to date that did not contain at least one reused component.”
“Of the new malwares, 98% are ‘direct descendants’ or variants of old versions, and of the remaining 2%, 1.99% are ‘cousins’ that share modules and methods.”
Given this information CyActive’s approach, using biomimicry, is to take the malware sample and permute it to predict the thousands of variants that hackers would likely retool over a three to five-year period ahead.
“We are effectively fast forwarding the future of malware evolution,” says Lev, noting the near impossibility due to costs and time to write from scratch a complete new attack chain.
She adds that the company addresses the “investment asymmetry between hackers and defenders – for every dollar invested by hackers on little variations, thousands are lost by the defenders dealing with them.” Citing examples from the financial sector for which figures are available, she says that Zeus variants cost $100 but its impact damage was over $100 million, while Black POS, the reused malware behind the attack on Target and Home Depot, cost $1,800 per variant but inflicted damage of over $250 million. “In each of these attacks, our solution could have stopped the whole attack chain, based on the reused component.”
The guard for critical infrastructure
This foreknowledge is used to train a detector, which Lev likens to a guard who has been trained on future weapons. “First predict the future weapons, then train the guard on those and then make that guard available.”
In this case of course, the “guard” is a piece of software that is platform agnostic, so that it can be deployed both at the network level, in what CyActive terms an “appliance”, and at the end-point level (HMIs and PLCs for example) inside an “agent”.
The solution is designed to overcome several specific challenges experienced in the operational technology (OT) environment. With ‘virtual patching’, it minimizes the need to roll out patches. With a detector which is relevant for 3-5 years into the future, it addresses the low or non-existent update frequency due to the constraints on equipment downtime. Second, its small size circumvents the limited memory and processing power of legacy IT that would be unable to run a heavy solution.
Cyber security as a service
The other benefit of the solution, Lev comments, is that it supports the trend of cyber security as a service package – a benefit also noticed by Siemens, which through its venture capital unit, invested into CyActive in September 2014.
“We have observed a trend of vendors transitioning from an O&M model to a service package model and cyber security can be embedded within that package,” explains Lev. “This will help the utility manage cyber security across all their devices, and will help them comply with regulation such as NERC-CIP in the US.”
Lev notes that cyber security solutions for the OT market are still relatively nascent and a variety of options are proposed, such as creating an OT firewall that can be run across a variety of different machines, or a network solution that runs at the main entry points of information into the plant.
Lev also advises that OT and IT must work together on cyber security. “OT typically prioritizes functionality and IT typically prioritizes integrity and confidentiality. Together, they are two sides of the same coin – they both want the same thing in the end.”