|
---|
Reverse Engineering Objectives
The never-ending Cybersecurity war between hackers and Cybersecurity specialists is taking on new features. Reverse Engineering is one big part of the arsenal hackers are exploiting to have their code hidden in plain sight. SolarWinds hacking is a perfect example of how hackers' code was hidden in plain sight. Our focus is to briefly cover the basic of reverse engineering and then present our approaches and tools using reverse engineering: • What is Decompiling code? • What is Reverse Engineering? • SolarWinds Hacking Lessons - Hidden in Plain Sight • Our Machine Learning Approach • Our DevOps and Virtualization Options: • Our DataOps and Virtualization Options: • Automation, Intelligence and Virtualization What is Decompiling code? A decompiler is a software which turns an executable program into source code. The conversion is usually not a perfect one and sometimes reconstructing or restructuring the source may require a lot of effort, talent and time. With patience, time and team work, the result can be rewarding especially for hackers who need to know how to add their code without detection. What is Reverse Engineering? Reverse Engineering is the analysis of a device or program to determine its function or structure, often with the intent of re-creating or modifying it. Reverse engineering can be used by hackers to add their malicious code without detection, while Cybersecurity specialists use reverse engineering to detect malicious code. It is a never-ending cycle of outsmarting each other. SolarWinds Hacking Lessons - Hidden in Plain Sight What is SolarWinds Hack (Orion)? Breifly, SolarWinds is a major software company which provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. Among the company's products is an IT performance monitoring system called Orion. In early 2020, hackers secretly broke into Texas-based SolarWind's systems and added malicious code into the company's software system. More than 30,000 public and private organizations, including local, state and federal agencies use the Orion network management system to manage their IT resources. As a result, the hack compromised the data, networks and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software. According to FireEye Site Posting: "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor" From experience, updating or modifying someone else's code is not a small task. The added code must be tested to make sure it does what it suppose to do. Looking at the details and the total effort in inserting their malicious code, these hackers must have access or copies of DLLs, the interfaces and possible variations. The following are the goals and methodologies used by the hackers: The Malware Performance:
It looks like the hackers are very familiar with SolarWinds code details and processes and schedules, ..etc. These hackers were able reverse engineer SolarWinds DLLs and reconstruct these DLLs with malicious code. Our questions: Are the Cybersecurity specialists helpless? How do we stop such a hacking? Our remedy is the following: These hackers were using certain functions, OS calls, threads, IP addresses, sleep, hash, zipping, ..etc. In short any program or sever must be executed by the Operating System calls or scripts. OS and CPU Basics: The OS decides the best way to swap between running, runnable and waiting processes. It controls which process is being executed by the CPU at any point in time, and shares access to the CPU between processes. The job of working out when to swap processes is known as scheduling. The OS makes it possible to run several programs at once. Several programs can be stored in RAM at the same time Therefore, we can do the following: 1. List all the OS calls and scripts 2. Give each call or script a grade of being used by anyone with bad intentions 3. List of all the calls hackers often used 4. Track any processes running in memory 5. Prevent and trap any Hashing, inline, sleep, remote access functions ..etc 6. .. misc and other hackers tools prevention In short, monitor the OS execution and memory processes. The main job of the OS is to run all programs including the OS itself. Any OS works with scheduled processes, access permission, memory allocation, trap any illegal access, ..etc. Therefore we would be using the OS monitoring data and trap any code or execution, access, memory residences, ..etc. We need to obtain a picture of what the OS is doing and everything running on the system or servers. In other words: We keep our eyes on the OS and its data and everything running in memory. May be the future OS software and hardware would be built to trap hackers and any unauthorized access. Our Machine Learning Approach We are presenting the following options, where our Machine Learning tools would be doing the OS monitoring:
Our DevOps and Virtualization Options The powers and the options DevOps would provide are the least understood nor being used. In a nutshell, DevOps is the hardware and the software connections-interfaces in term of infrastructure (servers and networks) and software (running software system). DevOps would also give the options to monitor both the infrastructure and the running system. DevOps would create virtual servers (as containers), virtual applications (as components), virtual connections (router, switches, firewall, ..etc), virtual networks and virtual clusters. DevOps and Virtualization can be used in creating, automation, securing, monitoring, deleting, trapping, rollback, backups, testing, evaluating performance, remote access, sand box, .. etc. DevOps would be used to perform monitoring, detection, prevention, remedy, rollback, recovery and Zero-Day Attack. Our DataOps and Virtualization Options To make life easier for DevOps, there must be an independent intelligent DataOps as a service. Virtualization would give DataOps the same power and options of what we just mentioned in the Our DevOps and Virtualization Options section. Automation, Intelligence and Virtualization See the following Link: Security Solution Architect - Adam's Blueprint for Security |
---|