Establishment and expansion of Australian information-security centres of excellence is becoming increasingly appealing to private and public-sector organisations that are finding them invaluable partners in the race to keep up with malware threats, according to the regional head of cyber security at BAE Systems Applied Intelligence (SAI).
The company opened a security CoE in Sydney two years ago and last year credited the local team with discovering and publishing detailed analyses of the widespread Shylock and Snake malware variants.
“Having a strong research capability is quite critical to a number of our customers,” said Craig Searle, Asia-Pacific head of cyber security with BAE SAI told CSO Australia. “We have customers that are very interested in having an advanced threat intelligence capability at hand – a sovereign capability they can call on to get advice and input, and to complement their internal capabilities with skills that would be very hard to find anywhere else in the world.”
Those partnerships led to a strong response against the long-lived Shylock banking malware, for one, which emerged in 2011 but has morphed numerous times – for example, expanding in 2013 to spread via Skype – and infected large numbers of systems before being shut down in July by an international law-enforcement effort. BAE SAI's analysis, largely headed by its Australian security experts, broke down the code and documented features such as its plug-in architecture.
The convergence of cyber-criminal activity and fraudulent activity had raised the stakes in the cat-and-mouse game between malware authors and security researchers, Searle said, adding that the efficacy of conventional detection approaches had long ago been compromised.
“The approach of simply trying to block the malware is inefficient at best, and a little naïve at worst,” he said. “These threats are being written with specific targets in mind, and written not to be identified by commercial security software.”
“Our approach is taking a bigger view, trying to understand who is producing this malware, what's their motive, and who are the key actors in that theatre. To do this, it is necessary to not only be able to have a world-leading research team like we do, but also to collaborate with other research teams and make sure we are getting the best information we can at any point in time.”
That collaboration has extended not only to other BAE SAI security research facilities, but to partnerships with commercial and government agencies. This approach allows the security research team to “develop a much more detailed picture around how these pieces of malware operate,” Searle said, noting the success of the approach in both the Shylock and Snake work.
“We can identify not just the individual behaviours of the malware itself, but also of the command-and-control networks, back-end servers, and the bigger picture of who is doing it and why,” he said.
“A key part of our success with Shylock and Snake was our ability to work closely with these vendor and agencies to give and receive valuable pieces of information to help us piece it all together. Part of that saw us providing frameworks to help vendors and other agencies develop their own tools and detection capabilities for that malware.”
Information-security experts tend to love an intellectual challenge, Searle said, but BAE SAI isn't the only company banking on the attraction of new security challenges in attracting the “complex skill set” required. Startup company Cylance was recently talking up the appeal of working to counter “near perfect” innovation in advanced persistent threats (APTs). And Symantec this month launched a broad expansion of its own Sydney security facilities in a managed-services push that is expected to lead to more than 20 new hires in the next 12 months.
This article is brought to you by Enex TestLab, content directors for CSO Australia.