Read the full dialogue below (or Listen to interview from Black Hat 2018)


Most every day we can read about another business falling prey to a sophisticated cyberattack and its customers suffering through another compromise of their data. Most businesses think it won’t happen to them – until it does.

Not all companies are targets, but not all malware specifies a target. ICS/SCADA facilities are especially vulnerable and particularly among targeted technologies. If you’re skeptical, listen to this interview and learn about the stealthy signaling technologies attackers use (such as pulsing cooling fans) to get at data. You’ll also hear about innovative endpoint defenses that can be effective against these attacks.

Gathered at Black Hat 2018, Julian Zotti with Raytheon & Willy Leichter with Virsec discuss the challenges and innovative solutions.

Paul: Welcome everyone to Black Hat. This is Security Weekly broadcasting live from the Black Hat security conference in very sunny and hot Las Vegas in the pool cabana. And I’m here with some special guests. Willy Leichter with Virsec. And Julian Zottl from Raytheon. How did you 2 guys meet?

Willy: Our companies are partnering. We met today actually. Raytheon is a major defense and infrastructure contractor. We’ve been working with them for a couple of years validating our technology. We’re a technology start up in Silicon Valley based out of Silicon Valley and we have some very unique technology. Raytheon has been helping us a test it, validate it and deploy it.

Paul: We talk a lot about how we validate and test solutions. So, Willy, start with the problem that your product is trying to solve.

Willy: We’re trying to solve a cutting edge problem of these advanced attacks that are finding ingenious ways around all of our defenses. We talk a lot about fileless attacks and memory-based attacks, but memory protection is kind of fuzzy with a lot of people and a lot of companies. We’re front and center in that memory protection.

We’re also seeing this new kind of attack. People used to talk about the kill chain where you do reconnaissance, you weaponize something, you throw a bomb. What’s happening now is these very subtle, multiple paths are coming in and the weaponization is happening in the application while it’s running. So we’re on the front edge of a lot of these advanced attacks. It was considered kind of obscure until WannaCry and Petya and Industroayer came up in the last year.

Paul: Julian, what’s your role at Raytheon?

Julian: I’m a cyber and information operations subject matter expert. I basically travel the world helping customers solve their problems. I do a lot of architecture work so if they have an issue, we’ll come in and design an architecture to help them alleviate that issue and hopefully protect them in the future.

Paul: So are you seeing the customers you work with experiencing a lot of these advanced attacks?

Julian: Incredibly. I deal mostly with either foreign government or US government customers. And yeah we’re starting to see these attacks regularly.

Paul: Differentiate for me a standard attack vs. an advanced attack.

Julian: A lot of the standard attacks, the ransomware, that you see nowadays they’re getting in through emails, people are clicking on PDFs, they’re getting in along those lines. The advanced attacks, much like Willy was talking about, we’re starting to see deployments differ greatly. They know that a lot of these places are putting in IPS’s and things like that and watching their network traffic. So they’re delivering piece parts. One part might come in via email or PDF, another might be through another vector. Essentially what they’re doing is assembling pieces of a puzzle behind the scenes. Individually, these pieces don’t look like anything.

Paul: It all comes full circle. When we talk about network-based attacks we talk about fragmentation attacks. If I were to fragment my attack, the IDS wouldn’t pick it up because it’s not able to do the reassembly.

Julian: Exactly. You got it.

Paul: We’re kind of seeing the same thing today except it’s not all in the network. They’re just delivering pieces of it to slip by defenses.

Willy: And the battlefield has moved to the applications themselves, particularly in runtime as opposed to being in transit or in disk. Things are in runtime now indefinitely. We work with a lot of critical infrastructure companies as well as Raytheon where they have systems that don’t ever go offline, or should never go offline. So this has become the new battleground.

Paul: Right. I want to get back to the pieces and parts. How do you detect that when the attackers are breaking up their kill chain into such small pieces? First, how is that bypassing defenses and second, what do we do about it?

Julian: It’s a very difficult problem. The best thing you can do is try to identify those pieces before they come in, but that doesn’t often happen. For a lot of this stuff, you’re not going to see Symantec detect it or any of the other antivirus guys, until it’s fully assembled. Once they see the assembled payload, that’s when you start seeing the behaviors and these A/V and EDR solutions can start seeing that kind of thing.

Much to what Willy was saying, what we’re now starting to see are very targeted attacks. The perpetrator will know that there is a specific application running there and they will target that customized application with a customized payload. It’s very difficult to pick these things up.

Paul: So how does Virsec help with this?

Willy: Perfect segue. So we’re unique in that we’re not trying to stop the stuff from coming in. A lot of people are doing that but there are always ways in. We are looking at the application, particularly the runtime and real time.

I’ll give you an example. If you have an complied application, as it’s loaded into runtime, as it’s loaded into runtime memory, all of the source and target destination and memory blocks are assigned. They don’t change or they shouldn’t change. So we have some patents around this. We create a map of where it’s supposed to go to essentially guardrail the application. And if it goes somewhere else, to a memory block that it wasn’t assigned, that’s almost definitely a problem.

So essentially we are watching the application itself closely and accurately wherever possible to ensure it does the right thing. As opposed to the endless threat thing and chasing bad.

Paul: What percentage are you detecting with that particular technique?

Willy: It’s always hard to measure percentages of unknown threats that you capture because we capture 100% of the ones that we find. [laughter] But not being facetious, what we focus on is being very precise. So when we find something, we’re very confident that it’s a real attack.

Paul: Because you’re mapping the memory and when it goes outside of that mapping, then–

Willy: Exactly. And false positives undermine security as much as anything. If you drown out the signal with the noise, then what happened to the target? We call it a deterministic process. It’s much more black and white as opposed to probabilistic models where there’s always some unknown guesswork.

Paul: Yeah, it sounds like you’re not taking into account 8 million different scenarios. You’re looking at just that 1 patented idea. And if that 1 memory footprint doesn’t add up, then it’s trying to do something malicious. And when you’re thinking of processes running in memory, you’re right. When you exploit a process, you’re forcing it to dip into another piece of memory that it normally doesn’t. That’s pretty cool.

Willy: Yes. We have several patents on it and we’ve been developing the technology for a number of years. We’ve been working with Raytheon for about 3 years now. We’re bringing it commercially to market. We also work at other levels with web attacks, with interpreted code where you have more variables. But it’s still the same basic idea, that the programs are designed to follow and do what they’re supposed to do.

Paul [to Julian]: Which you can validate, right? Obviously you’re sitting here with Willy. But you can validate this is a valid solution?

Julian: Of course.

Paul: We’re always looking for validation. This is working for you and your client?

Julian: It is and we’re deploying it into very mission-critical areas. For things that absolutely cannot go down or afford to be hacked, for lack of a better word. Nothing’s a hundred percent but we’re seeing very good success with their product.

Paul: That’s awesome.

Julian: Yes.

Paul: Anything else you want to share with our listeners today?

Willy: I’d just say there’s a new area we’ve seen. Julian and I were talking that it seems you always have to keep going down a layer and another layer . And if we don’t go deeper, we’re not keeping up with the hackers.

We talk a lot about nation states or well-funded hackers. A lot of these advanced attack have become democratized. They’re out there in volume now. So it’s imperative now to start finding ways to address this because it’s where the battlefield is.

Julian: To supplement that a little bit, we’ve gotten to the point where zero-day attacks and such are commoditized. Companies are out there that will pay for you to develop a zero day for these guys. So we’re going to see more and more attacks that are out of the league of traditional anti-viruses and such.

Paul: Julian, do you test a lot of different solutions for dealing with this problem your customers are having?

Julian: We have. We have a very good place that’s public called The Code Center where we do test and evaluation of all these products and we generally pick based on the evaluation that that center provides.

Paul: Okay. That’s awesome. Is that something publically available, like something we could put notes for the show so people can find it?

Julian: Oh yeah, it’s easy to remember. C-o-d-e Center. We do a lot of testing for obviously government agencies.

Willy: We’re in there as well.

Paul: That’s great. Julian and Willy, thank you.