After a quiet year on the advanced malware front we could soon see more activity, says Jason Healey.
After a quiet year on the advanced malware front we could soon see more activity, says Jason Healey.

After a quiet year on the advanced malware front, we could soon see more activity, says the Atlantic Council's Jason Healey. Karen Epper Hoffman reports.

Things may have appeared low-key last year in terms of high-profile malware threats, but when it comes to government cyber security, the relative quiet of 2013 probably means we're just in the eye of the storm, according to security experts like Jason Healey, director of the cyber statecraft initiative at the Atlantic Council, a Washington, D.C.-based think tank that promotes constructive leadership and engagement in international affairs.

“My overall concern is, as it's always been, is that it's a lot easier to attack than defend on the internet. And this past year, I'm worried we may have slipped past the tipping point,” says Healey (left), who is also an adjunct professor at Georgetown University. “Attackers have always had the advantage, but now they may well have the supremacy. We may be moving from the Wild West to Somalia.”

Other experts say that while 2013 did not give rise to the same sort of headline-grabbing malware attacks as the previous year – wherein a bevy of sophisticated malware threats, including Flame, Wiper and Gauss, were all discovered – security personnel must be on the lookout for increased activity. According to Howard Schmidt, formerly the special assistant to the president and cyber security coordinator for the federal government, this is simply the “lull before the storm.”

“We're seeing more people take and modify [malware] and do something else with it,” he says. “There's not less going on, it's just less visible. And what we are seeing in what the government is doing is being more diligent and not giving [hackers] the opportunity to use malware for sabotage or intelligence-gathering. But it doesn't mean it's not happening, it's just very, very discreet,” says Schmidt, also a former chief information security officer and chief security strategist for eBay. 

Meanwhile, Chris Petersen, chief technology officer and co-founder of LogRhythm, a security analytics firm, points out that few organizations have realized the required analytics driven defense capability that can make sophisticated malware visible. “This is an arms race in which too many organizations are failing to keep up,” he says. 

OUR EXPERTS: Fighting malware 

Ken Baylor, research VP for NSS Labs 

Stephen Cobb, security researcher at ESET Peter Firstbrook, research VP for Gartner 

Aryeh Goretsky, distinguished researcher with ESET 

Jason Healey, director of the cyber statecraft initiative at the Atlantic Council 

Al Pascual, senior analyst, security, risk & fraud at Javelin Strategy & Research 

Chris Petersen, CTO and co-founder of LogRhythm

Howard Schmidt, formerly the special assistant to the president and cyber security coordinator for the federal government

Matthew Standart, threat intelligence director for HBGary 

Harry Sverdlove, CTO for Bit9

Some industry insiders don't believe the pace of sophisticated malware development is slowing at all. “It is never quiet,” says Matthew Standart, threat intelligence director for HBGary, a technology security firm. “Much of the threatening malware we see today originates from a constant, underground, sophisticated economy that gets better and expands every year.” People from all across the world with increasing expertise make a living from the various aspects that derive from the demands to compromise networks, he says.

Whether it is research and development, exploitation and compromise, or executing and achieving mission objectives, there are professionals that are diametrically opposed to the computer security professionals that protect our networks, and they are as active as they ever have been in the past, he adds.

Other experts agree that the lack of major news about specific sophisticated espionage attacks in 2013 is no indication that there is in fact a slowdown of such activity or that the majority of the situation has already been uncovered. In fact, Harry Sverdlove, chief technology officer for Bit9, a firm that provides network security services to the U.S. government as well as several Fortune 100 firms, believes it may be evidence that “advanced espionage teams have become better at working under the radar in light of previous discoveries and disclosures.”

Even though Stuxnet was discovered and reported in 2010, he says, some of its components (as well as the corollary Duqu worm) have been traced back to 2007. While Flame was discovered in 2012, it is believed to have been active for at least five years prior, he points out. 

“Most advanced attacks are discovered months or years after being first active in the wild,” says Sverdlove. “It is entirely foreseeable, if not inevitable, that we will learn in the future of new attacks that actually occurred in 2013.” 

Ken Baylor, research vice president for NSS Labs, adds that nation states have shown what they have and released samples against targets. “Other nation-states are dissecting the malware and trying to one-up each other in secret,” he says. “There has likely been huge research and development in this space and everyone is holding their latest weapons very close to their chests.”

Other experts point out that simply because the cyber espionage news focused squarely on Edward Snowden and his National Security Agency (NSA) revelations for much of the past year, doesn't mean all was quiet. Aryeh Goretsky, distinguished researcher with IT security firm ESET, reports that there have indeed been several nation-state malware attacks over the past year outside the United States. These malware attacks include: Win32/trojanProxy.Agent.NJK, which targeted Taiwan and Vietnam; Win32/Syndicasec.A attacking systems in Nepal and China; and Win32/Agent.NLD, which targeted Pakistan.