Free Open Source Security Tools Offer Intelligence-Based Defense

Lockheed Martin recently released new open source tools to help defend enterprises from cyberattacks. The system, called Laika BOSS, offers a malware detection and analysis framework for security analysts to share intelligence with other cyber defenders worldwide. Here's my interview with leading cyberexperts who are offering cutting-edge insights and workable solutions to emerging battles in cyberspace.

by / September 6, 2015

Laika BOSS

Many technology companies offer free open source software and security tools to help protect enterprise systems and networks from dangerous cyberattacks. For example, Google and Facebook released free open source cybersecurity tools last year “to help security professionals gather statistics about bugs and malware, without infringing on individual users' privacy.”

In addition, this InfoSec Institute website offers free open source rootkit and malware detection tools.

But last month, a new set of tools were released by Lockheed Martin that have received significant attention. Could this approach become an industry game-changer?

Perhaps. Lockheed Martin has been known as a leader in global cybersecurity defense for a while. This Forbes article from 2013 called them the dominant player in the federal government cybersecurity market, as well as a leader in dealing with advanced persistent threats in the commercial world.

For these reasons, I took notice when the announcement came out last month regarding Laika BOSS being released as a “free, open source framework designed to take files and break them down to look for indications of malware.” I was intrigued by this trend from top security and technology companies to release their cybersecurity tools that offer substantial benefits to the wider community for free.

Naturally, I wanted to learn more and gain a better understanding of the cutting-edge cyberdefense strategies and tactics being deployed by successful, leading cybersecurity companies like Lockheed Martin.

Interview with Lockheed Martin Cybersecurity Tool Experts

In order to learn more, I caught up with Mike Gordon, head of Lockheed Martin’s cybersecurity analysis group, and Adam Zollman, one of Laika BOSS’ engineers and a cyberintelligence analyst. I was very impressed with their first-hand experience and global security perspectives regarding cyberthreats.

They mentioned that the first step for any organization is to determine whether they should "build or buy" their cyberdefense in our new online world. Many small to midsize organizations may struggle to have the talent to effectively defend against ongoing cyberattacks. At the same time, even some large organizations decide to partner with leading companies like Lockheed Martin to run their cyberdefense programs for them. 

However, they also made it clear to me that they are not ready to “throw in the towel” against this explosion in new online, file-based threats. In fact, they believe that companies like Adobe, Microsoft and Google are doing a better job today than they were a few years ago at addressing vulnerabilities found.

Still, vigilance is required now more than ever. New skills and new tools are needed for the cyberteams that protect sensitive information and networks.

Here are my questions and their fascinating answers.

Dan: What new trends or developments do you see as significant in cyberdefense – especially around malware detection?

Mike Gordon: The scope of industries and companies targeted by advanced persistent threat actors – groups highly motivated and dedicated to exploit and attack computer networks – continues to grow. There has also been a significant shift into application exploits. We need to understand this new threat environment and take appropriate steps to address attacks against files – from PDF files to Microsoft Office files to others. The most widely used apps globally will be attacked, and we should not stop using these applications. But we need to take aggressive steps to protect enterprises against these threats.

Because there are highly motivated humans on the other end of the wire, effective defense depends on having highly motivated and talented individuals doing defense as well – and then giving them the agility and tools to do their job. People and evolving tradecraft is the most important aspect of a strong defense, and analysts need an effective platform to scale their analysis into effective defense.

Dan: How can Laika BOSS help enterprises defend against cyberattacks?

Adam Zollman: Laika BOSS is different than many malware detection tools due to its in-depth ability to “atomize” files into smaller meaningful chunks through a rule-based automation engine that analysts can easily adapt and scale. It can look for attributes and evidence of malware even through many layers of obfuscation, reducing the number of ways malware can hide. Putting that power and flexibility in the hands of defenders means that things that were formerly only possible in a small lab – identification and classification – can be deployed at scale to actually help prevent intrusions.

Dan: You call it the "first-ever cybersecurity project which acts as a dynamic, scalable malware detection tool for any company looking to adopt an intelligence-based defense." Can you explain what that means?

Adam: The system, available for download on GitHub, provides a framework for malware detection and analysis through a recursive framework and flexible dispatcher. That's a set of tools to put in the hands of analysts who track and understand the threats, collecting and using intelligence to defeat patterns of malicious activity.

Laika BOSS isn't a silver bullet – it's not a magic black box that goes "ping" whenever anything bad happens – but it's a very powerful tool to help defenders.

Rather than relying on just superficial details about a file – where it came from and when, for instance – it can break those files down into smaller and smaller pieces, trying to uncover malware that may be hidden inside and extracting key pieces of data that may be used to understand and relate other intrusions. And it can do that while removing many layers of complexity and abstraction, at very large scale. It's up to the analysts to use that data and create new content – extend the Laika BOSS platform with new capabilities – based on the threats they see and intelligence they collect.

Dan: How does the tool "automate their response to known threats that may appear on similar file types across their networks?" How is that different from other available tools? Is this really a game-changer?

Mike Gordon: Security and intelligence analysts are the most critical asset in network defense. But analysts need to be given the power and agility to analyze and act, and that's where Laika BOSS comes in. It's a platform to collect data and apply intelligence that is relevant to the mission and needs – it takes the work that analysts have traditionally had to do manually and provides workflow automation, letting them focus on the actual intelligence and mission objectives. Since threat actors invariably leave a trail of breadcrumbs, analysts are able to use that data and computational power to focus on identifying defenses that are resilient rather than expedient.

Dan: How can organizations use the tools for free as open source? What is the best approach? What else do you recommend?

Mike: Every organization will have different needs. Laika BOSS is just one of many components of defensive tools, and having a defendable environment is a precursor to actively defending it. Once baseline security – industry best practices – is in place, a strong group of security analysts can take Laika BOSS and match it to the right places in the environment where they have the need and opportunity to collect and analyze files.

The first step is to just download it from GitHub – https://github.com/lmco/laikaboss – and start experimenting. It works "out of the box," complete with install instructions and examples.

Dan: What other new steps should enterprises be taking now to protect sensitive information as we head into 2016? Any broader advice?

Mike: With highly motivated and skilled adversaries, the most important step for an enterprise that wants to protect itself is to have highly motivated and skilled defenders. People are the most important part of a robust cyberdefense, along with tradecraft. We at Lockheed Martin practice Intelligence-Driven Defense, and we believe that that combination of people and tradecraft, combined with tools that enable analysts to be as effective as possible, is the best thing we (or any organization) can do to protect their data.

Dan: I’d like to thank Mike and Adam for answering my many questions. If your organization is engaged in this cyberbattle, they stressed the importance of joining a community of experts to work together as a partnership team – such as the MS-ISAC or other industry ISACs. I congratulate Lockheed Martin for making these open source tools available to help strengthen those community efforts.

In conclusion and for a related perspective, Forrester Research offers this excellent free report which lays out five steps to building an effective threat intelligence capability. Rick Holland from Forrester says:

“A security organization cannot acquire threat intelligence by only buying a particular product or subscribing to a particular service — it is an ongoing process supported by a set of capabilities built with human skill and technology. We need to redefine intelligence, and fortunately we have a model to adopt. ...

You cannot simply “buy” threat intelligence; you will have to build knowledge, capabilities, and maturity over time. To do this, you need to develop a multistep (and likely multiyear) road map that: 1) lays a solid foundation of essential capabilities; 2) establishes buy-in; 3) identifies required staffing and skill levels; 4) establishes your intelligence sources; and 5) derives actionable intelligence. ...”

Both Forrester and Lockheed Martin agree that this cyber-intelligence journey starts with the right people and a multi-phase plan.

In addition, these open source tools being offered by Lockheed Martin can provide an excellent framework worth considering for public- and private-sector enterprises that have the right cyberanalyst skills. It is also clear that this is a team sport, and we all need to work together to improve in this area across nontraditional boundaries.

The Lockheed team told me, “The bad guys are working together, sharing malware and coordinating attacks. We need to do much better at coordinating our cybersecurity defenses."

I encourage readers to take a look at these free open source tools to help their cyberteams.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso