Regin: Businesses must identify indicators of compromise to beat spyware, says Symantec partner
Thu 18 Dec 2014
The Stack speaks with Andrew Shea, vice president of Symantec partner and security solutions provider Conventus, about the newly discovered spyware Regin, which has been infecting global organisations for over six years.
What is Regin and why has it taken several years to uncover?
Regin is a new strain of malware and a completely new form of attack. It is very advanced and methodical software. There are several different components to Regin, including a data collection platform, effective encryption capabilities, and other features which allow it to exploit vulnerabilities in a customer environment. These types of components working together make it a highly advanced platform, as opposed to simple traditional malware.
With cyberattacks and malware there’s always a certain amount of challenges to face, particularly around trying to find out where the attack begins and ends. These challenges increased with Regin as it has four different combinations. Additionally, its complexity makes it very hard to define holistically. Therefore, we have struggled firstly to identify and define it in terms of its four components, and secondly to articulate it into a complete and comprehensive picture.
What makes it so complex and how does it get past these highly advanced security systems?
Regin contains very sophisticated technology which identifies vulnerabilities in existing customer environments. The malware is classically a zero day threat, meaning it exploits vulnerabilities that have not yet been published into the public forum. There are existing vulnerabilities that have already been defined and, in this case, the Regin platform attacks both of these. Zero day vulnerabilities are holes in existing commercially available software, operating systems, web servers, and application servers for example. It takes advantage of nearly half a dozen different zero day vulnerabilities, which prior to Regin were unknown.
Who does it target and what threats does it pose to these organisations?
It’s been a fairly wide attack. There have been federal government targets and initially these were some of the primary victims, specifically departments of defence. It then grew out into the commercial space, with a focus on financial services and banking.
Companies need to move away from looking for malware and look instead for indicators of compromise
Regin really constitutes a new threat to the extent that it’s not a single piece of malware that’s trying to exploit a single zero day vulnerability or known vulnerabilities. It attacks more comprehensively and highlights the fact that today’s threats are executed towards one or more individuals across a significant period of time.
From a threat standpoint, when we think of classic defence, a company would normally make sure that its perimeter is sound and relies on that perimeter to be its first line of defence. In this case, the attack uses zero day vulnerabilities so the attackers exploit weaknesses that they aren’t even aware of – the perimeter can no longer be relied on.
Key security control technology has the ability to determine zero day threats that exist at a network, server and endpoint level. However, the reality is that not all organisations have deployed these levels of technology. The real threat is not being able to see the attack at all.
Comparisons have been made with Stuxnet, used to attack Iran’s nuclear programme. How does Regin differ from Stuxnet?
I think it’s a very apt comparison. Regin is very similar to Stuxnet. In both malware, there are multiple elements to the platform. There are discovery capabilities, zero day exploit capabilities, and advanced intelligence which actually gets inserted into the environment and evaluates what other opportunities and vulnerabilities exist. The primary difference is that with Stuxnet applications were completely rewritten and replaced.
Which other forms of malware must companies keep an eye out for at the moment? What can businesses do to protect themselves against these attacks?
There’s quite a list and that depends on the nature of the organisation and what platforms are in use. There are a couple of key data sources that I would recommend to businesses. One area of focus is being able to identify indicators of compromise, which are the technical tell-tale signs that something is awry in an environment. There are several good open-source sites that have a list of indicators of compromise so companies can take these and apply them to their existing security tools. For example, they could use a host base intrusion detection platform via the list of known indicators of compromise to see if they have any zero day threats on their servers.
Attacks like Regin help highlight the fact that a new effort is required to defend organisations successfully. Companies need to move away from looking for malware and look instead for indicators of compromise, which really are sure-fire signs that you are under attack, have been breached, or have activity that may lead to a breach.
This new methodology of looking for attack behaviour or attack indicators as a means to articulate an attack should now be a required approach. Identifying these signs requires two things, greater intelligence and a greater knowledge of what’s happening in the global space. It seems naïve for businesses to simply look at the data that their own security controls provide them, and to base their strategy on that. It should be absolutely mandatory today to have a much broader global view of the threats that are out there.
New technologies that help identify zero day attacks are critical at the gateway, network, server, and end-point level, such as sandboxing and behaviour-based technologies.
Some sources have suggested that there will be fewer but more sophisticated cyber-attacks in the future. Do you agree with the prediction?
From what we are seeing, attacks in general are far more sophisticated. Software platforms that have multiple components mimic what we see in businesses today, which deploy applications to collect sales data for example – it’s malware that’s that complex. These attacks have many tiers targeted towards a very specific business purpose. In fact, we’re seeing more complex threats and attacks and we’re beginning to discover them because we have access to far better funding, and far greater resources.