Incorporating Feedback from the Security Community - What does DVLabs do?

On February 18, 2013, the American cyber-security firm Mandiant released a report detailing some of the inner workings of the Chinese PLA (People’s Liberation Army). If you’ve read the report, you most likely copied and pasted the link above into your browser instead of clicking it! Specifically, the document discusses a group called APT1, which the report alleges is responsible for the development and deployment of hundreds of families of malware.

 

This report is an example of the type of information DVLabs consumes on a daily basis in order to provide our customers with superior and timely protection against threats, known and unknown. The following breakdown describes TippingPoint protection solutions specifically relevant to the threats described in the report.

 

TippingPoint offers a service called RepDV, which is a customizable blacklist and whitelist for DNS and IP entries. Based on the large amount of malware our research teams watch and track, we decided to develop an internal database to house samples in order to better develop detection logic and signatures for our IPS product. When the report was released, our initial step was to ensure that any newly discovered malicious DNS entries were added immediately to RepDV and to start tracking any related malware samples for further analysis. In DV (Digital Vaccine) 8423 we released a set of signatures to cover the SSL certificates associated with malicious hosts from the report. Finally, our researchers have identified several malware samples that could be thwarted with filters and are actively working to release these signatures in the coming weeks.

 

In reality, investigation into APT1 began sometime around 2006. There is no doubt that governments around the world have been actively developing malware and exploiting vulnerabilities for much longer than that, at an unprecedented cost and timeline. What I’m getting at here is the fact that these entities are unlikely to continue serving malware on the hosts detailed in the report. The certificates are almost guaranteed to change, and I’d expect much of the malware to be updated or even completely replaced due to the publicity this particular report received. Based on this assessment, DVLabs will provide signatures only for malware that continues to communicate with remote hosts for malicious purposes. We may update or modify the certificates in the future if they are replaced or reconfigured. Finally, we will actively track the DNS entries that continue to serve malicious content and remove or replace those which do not.

 

This is neither an uncommon scenario nor one that is new to TippingPoint.  As with other sources of security intelligence, we leverage our tools and research capability to translate information like this into actionable intelligence to power the most effective security solutions in the industry. 

 

Steve Povolny

Manager, Digital Vaccine

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.