Security Research
Showing results for 
Search instead for 
Do you mean 

Incorporating Feedback from the Security Community - What does DVLabs do?

ryan_strecker ‎03-15-2013 08:47 AM - edited ‎03-15-2013 08:51 AM

On February 18, 2013, the American cyber-security firm Mandiant released a report detailing some of the inner workings of the Chinese PLA (People’s Liberation Army). If you’ve read the report, you most likely copied and pasted the link above into your browser instead of clicking it! Specifically, the document discusses a group called APT1, which the report alleges is responsible for the development and deployment of hundreds of families of malware.

 

This report is an example of the type of information DVLabs consumes on a daily basis in order to provide our customers with superior and timely protection against threats, known and unknown. The following breakdown describes TippingPoint protection solutions specifically relevant to the threats described in the report.

 

TippingPoint offers a service called RepDV, which is a customizable blacklist and whitelist for DNS and IP entries. Based on the large amount of malware our research teams watch and track, we decided to develop an internal database to house samples in order to better develop detection logic and signatures for our IPS product. When the report was released, our initial step was to ensure that any newly discovered malicious DNS entries were added immediately to RepDV and to start tracking any related malware samples for further analysis. In DV (Digital Vaccine) 8423 we released a set of signatures to cover the SSL certificates associated with malicious hosts from the report. Finally, our researchers have identified several malware samples that could be thwarted with filters and are actively working to release these signatures in the coming weeks.

 

In reality, investigation into APT1 began sometime around 2006. There is no doubt that governments around the world have been actively developing malware and exploiting vulnerabilities for much longer than that, at an unprecedented cost and timeline. What I’m getting at here is the fact that these entities are unlikely to continue serving malware on the hosts detailed in the report. The certificates are almost guaranteed to change, and I’d expect much of the malware to be updated or even completely replaced due to the publicity this particular report received. Based on this assessment, DVLabs will provide signatures only for malware that continues to communicate with remote hosts for malicious purposes. We may update or modify the certificates in the future if they are replaced or reconfigured. Finally, we will actively track the DNS entries that continue to serve malicious content and remove or replace those which do not.

 

This is neither an uncommon scenario nor one that is new to TippingPoint.  As with other sources of security intelligence, we leverage our tools and research capability to translate information like this into actionable intelligence to power the most effective security solutions in the industry. 

 

Steve Povolny

Manager, Digital Vaccine

0 Kudos
About the Author

ryan_strecker

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all