‘We’re not the ones who go out and break doors down. We focus on the technical challenges’
McAfee’s Advanced Threat Research (ATR) team is the “sharp tip of the spear” that maps the activities of cybercriminals and other threat actors.
Around 50 researchers worldwide make up the team, including Raj Samani, chief scientist at McAfee. The ATR division is a subset of the wider McAfee Labs, which employs around 200 people.
The Daily Swig spoke to Samani about his work with multiple law enforcement agencies on cybercrime cases, as well as the “threat focused” work of McAfee’s ATR team.
What functions do threat researchers perform inside McAfee?
Raj Samani: The team, which is very threat focused, offers strategic analysis. It can react to threats – such as WannaCry – to work out how something is been exploited. This goes beyond making sure that detection is in place.
Not all vulnerabilities lead to exploits. You have to try and anticipate what might happen. For example, ransomware is a real threat for many of our customers. Windows Remote Desktop Protocol (RDP) is often a vector for such threats.
The group focuses on advanced threats – but this isn’t just malware, it could be vulnerabilities. We also look at devices. We’ve done cars, we’ve done hospital heart monitors, padlocks, coffee machines, and everything else as well.
If we find a vulnerability in a product then we go through a disclosure with the affected vendor, which can take 90 or 180 days – dependent on the severity of the vulnerability – before we go public.
It’s a fairly broad scope, but fundamentally the basis of the research is how can we understand threats that are happening as well as escalations that might occur.
There’s a number of different outputs. Sometimes we’ll do research and then we’ll publish a blog, but actually that’s just scratching the surface. We actively monitor multiple adversaries.
As we get new intelligence – and better understanding of the types of tools, tactics, and procedures that they are using – we’ll always feed that back to the product team, whether that’s a new technique or a new type of malware.
We also have a threat intelligence service, tailored to the needs of customers. That information doesn’t go public.
The volume and variety of threats might seem overwhelming. How do you bring new members of the team up to speed?
RS: We have a repository in which the technical skills and every single member of the team are monitored and tracked. We also run Slack and team sessions.
When we bring people on board, we’re very specific not only about the type of skills that they have, but the type of research they are likely to be doing.
We already know many people who are coming into the team because we have referrals, or we worked with some of our people before.
What does your cooperation with law enforcement involve?
RS: We focus on technical challenges. We’re not the ones who go out and break doors down – even though some of our people are ex-law enforcement or military.
Often, no doors are broken down and operations become about disrupting the infrastructure of the bad guys.
We don’t do attribution, focusing instead on developing indications of compromise. GDPR is, in some ways, detrimental to intelligence gathering.
We have MoUs [memorandums of understanding] with law enforcement agencies across the world. We don’t provide PII [personally identifiable information] but rather technically information that will lead to the disruption of a campaign.
We have also done work that has led to arrests, for example with CTB-Locker, or led to the disruption of the BeeBone botnet.
We want to create a safer society [online], and working with law enforcement is a natural progression to that.
McAfee Research Lab in in Hillsboro, Oregon
What current areas of research is the McAfee team involved in?
RS: We’re working on major malware campaigns, specific protocol vulnerabilities (for example RDP), flaws in consumers electronics and automotive systems. We recently published some research about Delta building controllers. And then there’s the reactive work about stuff that comes in.
There’s a lot. It’s important that we get a deeper understanding of the issue: a deeper understanding of the vulnerability and the exploits. That’s all the product and vulnerability side, but we’re also working on things like, ‘Is our vulnerability disclosure process correct?’ and working with our competitors. I’m on the board of the Cyber Threat Alliance (CTA), where we do work on information threat sharing.
There’s a lot of work that goes on behind the sharp tip of the spear to make sure we can get the best intelligence at all times or the team has everything it needs or (when we go through the disclosure process) that we’re likely to get a vendor to respond in the right way. A lot of that work gets overlooked.
How is the threat landscape changing?
RS: The threat landscape is becoming more complicated – adversaries are becoming more nimble and smarter. They are adapting. It’s [the threat landscape] evolving at such a rapid pace.
In response, we are diversifying our teams. We’re employing data scientists, experts in AI and machine learning and well as reverse engineers and incident response staff.
We don’t have the luxury of time. The focus is on predictive and pro-active analysis. What can you head off at the pass?
Three or four years ago, we were talking about ransomware, but it was a consumer issue using emails. Now it’s groups that are incredibly well funded, with very convoluted methods to track and monitor potential victims, who are using entry vectors like RDP. The exploits and the vulnerabilities are been weaponized at a fairly fast clip.
The adversaries are getting better and faster. They are doing their research and learning about organizational environments. They have an entire ecosystem as a vehicle to bypass security. It’s becoming a criminal battleground.
YOU MIGHT ALSO LIKE Ransomware first responder: ‘The bad guys are getting smarter’