Blue ink, Red ink… Purple Heart

April 4, 2020 in Preaching

In the past I was primarily focusing on the bad stuff. All the malware stats I ever posted were based off a substantial corpora of malware samples that I processes both ‘statically’ and ‘dynamically’… These numbers were pretty high for an individual contributor … 12M+ of samples I did static analysis on & 1.5M+ of dynamic analysis reports (shared with community via the most awesome @VXShare)…

Around 3-4 years things changed.

My primary focus moved from collecting malware samples to building a repo of clean samples (not necessarily signed tho!). There are many reasons for this ‘change of a paradigm’, but any respectable sample hoarder can easily recognize these patterns…

  • you can’t hoard all the malware samples anymore
  • it is growing too fast ($$$ for storage, time for post processing & backups), it’s also hard to classify while ROI of collection is no longer that high…
  • there are more and more boring samples (same old, same old + new fads e.g. ransomware).
  • migration in malicious techniques from a purely binary code (exe, dll, cpl) to PowerShell, C#, as well as return of Office Macros & WScript/CScript coding goodness…

The malware of today is often … an obfuscated script. Plus, many analysts don’t even bother to fully understand the internals of malware anymore as long as we can build a quick detection for it & block it…

Coming back to the ‘good samples repo’ thing – there is more …

I got interested in Living off the land and novelty code injection techniques so having access to the CLEAN sampleset made a huge difference – it suddenly opened many new research opportunities that traditional malware corpora doesn’t usually offer anymore…

How?

Legacy code, silly ideas, copypasta from CodeProject, CodeGuru, StackOverflow… the internetz of copypasta overall… drivers, COM DLLs, funny installer executables, custom installers, broken, broken, and even more broken… then debug functions, test functions, internal environment variables that made it to production, phantom DLLs, hardcoded credentials, and many, many more…

What does it mean though?

I think it’s a symptom of me getting more and more interested in the offensive side of things . And I will be probably the last one to admit that… but I kinda like it. I was never a pentester and never really had an itch to scratch to ‘pwn things’, but I really do love novelty tricks and I hope … it shows…

So… a blue teamer with the red team itch … this itch needs to be scratched.

When I realized that… I also realized that there are a lot of benefits to this ‘change of direction’. My defensive persona loves to know all the ‘new’ so I always feel that when I can contribute a new trick or discovery I become (and make others who read that…) a… better defender.

So…

This is… at least in my eyes… the ultimate destiny of anyone on a blue side of things… You will eventually become as red as the red team, and more. Cuz they just primarily focus on the ‘pwn’ bit (and they are right) and we, blue teamers’, need to be crimson-yearning… strong foundation of blue, lots of red desires, and defo more and more purple… Is lavender is the new black?

Share this :)

Comments are closed.