The Dangers of Chasing the Next Flame [Malware]

Tuesday, June 05, 2012

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

In case your cave doesn't get Internet or television, radio and you haven't talked to another technically-inclined soul in the last few days there is a relatively newly-discovered nasty piece of custom malware called "Flame" out there.

It doesn't help anything for me to write what everyone else already has, and to do any more analysis on the malware, its origins or to wave my hands wildly and try and warn you of the next chapter in Cyber War (sorry, couldn't resist)... but this post is more about the practical viewpoint on yet another in a line of increasingly complex and evil custom malware.

First, let's be clear, if someone has gone to the trouble of committing several hundred man-hours of [highly intelligent] resources to developing a custom piece of malware that exploits several different open attack vectors and essentially targets specific organizations - this is a direct shot across the bow.  

In fact, this may actually be a direct shot into the hull which we've only discovered once it's run its effective duty cycle... or slightly earlier.  

Developing this thing couldn't have been cheap, and while developers who will write code in exchange for money are everywhere - really good developers who will write **bleep** sneaky code like this that's very, very intelligent and complex - those aren't people you can pick up out of the average secondary school.

Are we (in general) under cyber attack?  Yes - but we as a security and business community have been aware of this issue for quite some time. Is there an increasing escalation in the ferocity with which complex organizations are being attacked by unknown parties?  Absolutely.

Is right now a better time to panic than before if you haven't yet woken up to the threat of cyber attacks against your organization?  To answer a question with another question - "What's stopped you from caring before, and why is this attack against someone else (presumably not you, directly) any different?"

Fundamentally, this targeted attack against specific entities, sneaky and nasty as it may be, changes little for most organizations still finding themselves far behind on even the most basic security controls.

It's common to hear CISOs speak of the fear purpose-built cyber-weapons such as Flame possess and their potential response, when their own organization is lacking even the most basic change control processes - forget any real level of security basics.  

This phenomenon is affectionately referred to as "chasing fireflies" because as we chase these fleeting issues we're completely diverted from the basic tasks that we need to keep doing to make our enterprises resilient to attacks such as Flame.

As you start getting the questions (if you haven't already) such as "What do we do about Flame?" from your customers and internal business remember this - is the group asking advanced enough to have to think about this level of attack?  

Too often times the answer is "Nothing" because this is a highly sophisticated attack and your particular organization has so many more avenues for exploit that it doesn't make sense to try and prepare for such a complex attack.  

Focus on fundamentals.  Focus your energy on gaining a better level of visibility across your enterprise so you can see the threats you have a chance of stopping today - and worry about those advanced threats tomorrow.

One thing at a time. Tomorrow will likely bring a new variant of Flame or a yet uglier, more targeted version of custom-written malware... but if you don't have your enterprise resiliency fundamentals in order, who really cares what the more advanced threats are doing?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
10968
Viruses & Malware
Information Security
Enterprise Security malware Cyberwar Infosec Resilience Targeted Attacks Flame W32.Flamer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.