RSA Research Unit Hunts Cyber-Threats 'That Don't Have Names'

NEWS ANALYSIS: As members of the cyber-security industry gather for the Black Hat 2012 conference, one industry researcher says the key to better IT security is to identify the signs of attacks before they are launched.

At the Black Hat 2012 conference taking place July 21-26 in Las Vegas, cyber-security firms are sharing information on how to keep up with rapidly evolving threats. One researcher says it's not enough to fight known threats-you also have track down the developing threats as they just start to emerge.

"We focus on threats that don't have names," said Will Gragido, senior manager of the Advanced Threats Intelligence team, a newly formed unit at the cyber-security firm RSA. "We bring to light threats that are otherwise unknown."

RSA does that, Gragido explains, by analyzing network traffic patterns for "salient and actionable data" that identifies the signature of a potential threat. The research also seeks to identify "threat actors"-specific people known to be cyber-criminals-by tracking their tactics and methods.

Up until now, he said, cyber-security has been confined to several individual types of cyber-crime activity such as malware, data loss, SQL injection, Trojans and the like when a more comprehensive security approach is called for to tackle all sorts of threats. He analogized their approach to viewing a mosaic; instead of focusing on just one tile, one needs to pull back to see the full picture.

"People talk about parts of the threat landscape and [tend] to silo and compartmentalize those silos," Gragido said. "We're very fortunate in the sense that we're being allotted the opportunity to focus on the threat ecosystem."

Much of the innovation in the Advanced Threats Intelligence group comes from RSA's acquisition of NetWitness in April of 2011. NetWitness is a network monitoring platform that provides enterprises with a precise understanding of everything happening on their network. Such monitoring can detect types of data that may be leaving the enterprise network that shouldn't, such as sensitive customer data, and spot communications that can be traced to command and control environments that are associated with cyber-criminals. Without technology such as NetWitness, network administrators may not be able to detect such activity on their own.

"There are a number of data types that can be provided to an organization that … unequivocally denote a condition of compromise, and that's important to be able to provide that insight for the customers," Gragido said.

Also at Black Hat, RSA introduced the FraudAction Anti Rogue App Service, which it said is designed to detect and take action against rogue mobile apps that attempt to compromise a device with malware or launch phishing attacks. As the number of mobile devices accessing the Internet grows as an alternative to wired laptop and desktop computers, the cyber-security threat is going mobile, too.

RSA cited various industry research reports that claim that 71 percent of organizations allow their employees to use their own mobile devices for company business, that 86 percent of all Android malware is a version of legitimate apps repackaged with malicious payloads, and that the number of malicious Android apps jumped to more than 20,000 in July 2012.

Other research reports cited by RSA claim that Google's Android Market for downloading apps to Android-powered smartphones and tablets, as well as third-party app sites for Android, has been plagued by a proliferation of apps that surreptitiously deliver malware onto Android devices, although malware can infect other mobile platforms, too, including Microsoft Phone 7 and Apple iOS.