Be ready for your Regin: practice, practice, practice

This week Symantec (and many others) published information about a cyber espionage campaign dubbed "Regin". See "Regin: Top-tier espionage tool enables stealthy surveillance". In general, I take umbrage when every time a novel and/or sophisticated system is discovered it is attributed to a Nation State. See my 2012 video "Glowing Embers", or better yet, read/listen to "Ghost in the Wires" or "Masters of Doom". Creative individuals and small teams can do amazing things.

However, whatever the source of such campaigns or their motivations, you should try to prepare yourself for when one of these campaigns hits your network. While there are security training courses you can take, you can also practice by analyzing even benign activity in your network. Practicing on analyzing such activity can give you the knowledge and skills to detect and analyze the activity of real threats.

In 2012 I published a pair of articles ("The Advanced Persistent Threat You Have: Google Chrome" and "The Making of 'The Advanced Persistent Threat You Have: Google Chrome'") and a Keynote presentation ("Google: The APT You Have") on analyzing Google's automatic update system. In many ways, Google's software resembles a good Command & Control system an adversary might use - small sleeper code that occasionally wakes up to download encrypted new stages, use of virtual file systems, modification of critical resources, and cleaning up after each activity.

I encourage everyone to start searching for and analyzing these (hopefully benign) Command & Control systems in your network. I guarantee you, you have plenty of them operating in your network. Practicing on these will prepare you for the malicious ones.