Why Hidden Malware May Be Potential National Catastrophe

SECURITY ANALYSIS: Command-and-control servers execute commands that could range from stealing personal information to ransomware attacks to pulling email (and getting insider information) to emptying accounts. This is a growing threat, and here's what some companies are doing about it.


I’m at Dell Technology World in Las Vegas this week, and one of the more interesting meetings I had was with one of its security firms, SecureWorks. Last week I was at BlackBerry’s analyst event, and it was interesting to contrast the two offerings.

Cylance is a security company now owned by BlackBerry, and both SecureWorks and Cylance are surprisingly similar. But, ironically, I think Cylance is stronger on the device level, while SecureWorks appears stronger at a site level. Both are hell-bent on providing artificial intelligence capability to reduce security analyst loading, and both are racing through machine learning to deep learning to get there.

Both firms also can showcase that their AI tools are discovering attacks that non-AI tools aren’t picking up, and two of them concerned me a lot, because the implications could be devastating at a national level.

Hidden command and control and ransomware for financial services

Now we often talk about banks as huge targets for attacks to obtain access to both personal information and the financial resources of their customers. But these new AIs are picking up command-and-control servers and dormant ransomware offerings that are currently not acting but have been aggressively placed in financial institutions. These command-and-control servers and ransomware/malware products, when located, are blocked and, given they are currently dormant, there is no real way to determine what nefarious purpose they have been put in place to do.

Command-and-control servers are there to execute commands that could range from stealing personal information to ransomware attacks to pulling email (and getting insider information) to emptying accounts. The command-and-control servers could even potentially execute trades, depending on the goals of the attacker.

What concerns me is that even the newer machine-learning products aren’t picking all of these up, and it is only the newest deep learning products that seem to be capable of finding these servers. This suggests that many financial institutions may be compromised and not know it. Given we don’t know the source of these command-and-control servers, and we do know that they are extremely good at staying hidden, the chance that they are funded by a hostile state as part of a future nationwide coordinated cyber-attack on our financial institutions can’t be ignored.

A typical attacker, with a command-and-control server in place, would typically execute quickly to avoid the risk of discovery before he/she could accomplish goals. Hostile states have vastly different goals tied to conflict, and this should be keeping a lot of financial CIOs up at night for good reason as a result.

Law firms

Another class of company being targeted aggressively by these super stealthy offerings are law firms. Speculation is--given these are mostly very large firms that do lots of M&A--that the effort is to get insider trading information. This is less of a global threat, but it would potentially be a firm killer, because the Securities and Exchange Commission typically takes a very dim view of anyone who participates in insider trading. The SEC clearly could source the compromised law firm that was the cause of an identified insider trading event. Thinking more broadly, what will the clients of that firm do if/when they find that all their confidential information on that firm’s servers was now public?

This not only could kill the law firm, but it could do massive damage to the firm’s clients. Since we are talking about some of the largest law firms in the U.S., that devastation could be massive. Imagine if emails detailing concerns about a known safety issue for an aerospace or automotive company suddenly became public? The discussion might simply be to try to understand the liability and help do the right thing, but the optics would be that their priorities were putting money before lives--at scale.

This certainly would be a company killer, either through government punitive action or customers simply deciding they don’t want to buy from a firm that seems to want to kill them.

Wrapping up

When we are talking about security, it is the threat you don’t know about that is potentially the scariest. With hostile state-level players in the segment that have near-unlimited resources to create and propagate malware--via everything from on-line methods to compromised employees--the need to deploy the most advanced solutions have never been more critical. This is particularly for firms who, if compromised, could do broad damage. Financial institutions are obvious targets, but I hadn’t really thought about law firms. There are likely other industry verticals that are critical to the operation of the nation but aren’t currently considered as likely targets because, like law firms, their potential is indirect.  

It is clear to me that legacy security tools are no longer anywhere near adequate for the state-level attacks that are sweeping the world and that only machine and deep learning AI based tools may be able to currently mitigate this exposure. This will eventually migrate to Quantum computers, and one of my biggest worries is that we get a Quantum-level attacker before we have a viable Quantum-level defense.

Right now, there are only a small number of firms that have truly moved to machine and deep learning offerings and, once validated, they should be favored to catch these dormant threats before they wake up. It is clear to me that clock is ticking, if we don’t mitigate before it hits zero, the result will be catastrophic.

Let me add, that every trial I’ve so far seen using deep learning, regardless of company, has found malware that has the potential to do catastrophic damage that was lying dormant and undiscovered.  This makes me think this exposure is far greater than even these firms may realize. 

Rob Enderle is a principal at Enderle Group. He is an award-winning analyst and a longtime contributor to QuinStreet publications and Pund-IT.