Longtime cybersecurity professional Kathie Miley: unknown malware is stressing out CISOs

Updated on: 28 September 2021

Jurgita Lapienytė
Chief Editor

Cybersecurity tools are trained to look for familiar malware and vulnerabilities. But recent major cyberattacks, such as SolarWinds, were caused by the unknown malware, and it is the biggest stressor for the CISOs at the moment.

There are over two billion known malware types out there. Threat detection tools are trained to find them either based on their unique signature or a source code. But even minor modifications make them invisible for the traditional detection tools.

According to Delloitte, prior to the pandemic, about 20% of cyberattacks used previously unseen malware or penetration methods. During the pandemic, the proportion has risen to 35%.

“This upsurge in sophisticated cyberattacks calls for new ‘cutting edge’ detection mechanisms to meet the threat,” the company stated.

Experts globally agree that long time to detection is one of the major problems. On average, it takes 14 weeks to learn about an attack, meaning that malicious hackers can reign free for months before their wrongdoing is even noticed.

“That is the biggest stressor that CISOs are facing right now, how do they truly understand what is going on inside these applications that are running the core of their business. How do they know what they don't know?” Kathie Miley, with 20+ years of experience in cybersecurity, told CyberNews.

Miley has held a variety of executive leadership roles in the information security and cyber threat industry, including positions at Verizon, Invincea, and Cybrary. Currently, she is a chief operating officer at CodeHunter - an automated unknown malware detection SaaS (software-as-a-service) platform.

According to Miley, it helps to tackle cybersecurity skills shortage as time to threat detection problems.

We met Miley during the Blach Hat USA 2021 conference and discussed what is stressing the cybersecurity community out the most at the moment.

“This is pretty much the most intense time that I've seen in my 20+ years in cyber,” she said.

You've been in the cybersecurity industry for almost 30 years. How do these last couple of years compare to anything that you've seen?

It's pretty intense these days, especially with all the supply chain attacks that have been happening. COVID brought about a complete shift in how everybody had to operate and secure their enterprise. No one was prepared to have a mass amount of remote workers and had to completely readjust everybody's thinking about what an enterprise boundary looked like.

Over the years, we had been all preaching that ‘there is no perimeter anymore.’ COVID forced that reality on everybody and made them start thinking about how they had to change their traditional security operations and governess of processes. Late last year, when SolarWinds hit, people realized that hackers were taking advantage of trusted software patches to implement and penetrate organizations. That was not expected.

Most organizations would install patches without even considering going through a security process like they do when they are developing in-house applications. That really changed the world, and now everything upended. It goes as far as president Biden issuing the executive order to start doing more to protect the critical infrastructure. It is pretty much the most intense time that I've seen in my 20+ years in cyber.

system hack warning on screen — Who has dealt with cybercriminals better: Colonial Pipeline or Ireland’s Health Services? (c) Shutterstock

People in cyber feel like they are in a pressure cooker 24/7. Depression, burnout, and suicide are becoming increasingly common among industry experts, who are often the scapegoats once a severe attack hits the company. How stressed are you guys?

You have to look at it from this poor CISO's perspective. They are the top dog in an organization. They are expected to know everything about the cybersecurity market and everything there is about cybersecurity resilience inside the organization. When challenges come up, and new things start to appear, the organization, of course, goes back to the CISO, expecting them to know it. Still, the CISO has no peer capability to go to somebody and say, 'hey, I've never seen this before. Do you guys see this?'

I think the advent of these virtual peer-to-peer CISO networks has allowed CISOs to go to each other and say, 'ok, what are we going to do, how are we going to approach this new world, what are we going to do to mitigate against these new attack vectors.' And so the CISOs can start to collaborate and leverage each other's experience and knowledge to create and put best practices in place to mitigate this challenge.

The biggest stressor that CISOs face right now is how they truly understand what is going on inside these applications running the core of their business.

Last year, I worked for an organization that was one of these peer-to-peer networks, and we would get together dozens upon dozens of CISOs to talk about quarterly what are the top challenges they are facing. In Q4 last year, the biggest thing that CISOs were talking about was this notion of managing security inside of the applications they have. The poor state local governments don't have the same funding as these significant financial institutions. They don't have the staff on board who understands how to approach cybersecurity like these big major financial and other institutions have. These CISOs were looking at things like 'how am I going to look at these applications and determine whether or not they are secure.' So they can take a traditional vulnerability applications scanning tool and scan it for known vulnerabilities. But there's no way, no tool on the marketplace that would allow them to access an application for unknowns. Is there hidden malware? Is there a hidden adversary baked inside of my code somewhere that I don't know about because it is not an already existing signature that tells me 'yes, I know, and here it is in your application?' How do they know what they don't know? And how do they find these zero-day attacks and they can get them out before it impacts their business. The biggest stressor that CISOs face right now is how they truly understand what is going on inside these applications running the core of their business.

During the Black Hat USA 2021, you represented the CodeHunter platform. I read that it was created by a team of PhDs, mathematicians, software experts, and cybersecurity professionals, including execs from Verizon, Northwestern Mutual, IBM, and the Federal Government, and is trained to detect both known and unknown types of malware.

Our application is designed specifically for malware hunting. There are a lot of tools out there that can look at known vulnerabilities. But they can't find what isn't already known. CodeHunter is a static application assessment tool, so you have to put your application inside the tool and then it decompiles the application software code, and it takes a mathematical algorithm approach to looking at the behavior inside the software itself and determining whether or not it's function calls are behaving maliciously.

Forget all the signatures, known vulnerabilities - it's looking for what you don't know. It then takes what it finds based on the behavior of the code, maps it to a malware type, like a trojan or ransomware, reports back to you whether or not your software is indicative of conducting this type of behavior, shows you where within the code the malware was discovered so that you can take that back and mitigate it.

How long does it take to scan the application, and how often do you have to do it?

It depends on the application. Most people would think it is the size of the application, but that's not it. Some applications can have millions of lines of code. Some applications could have thousands of lines of codes. A traditional approach is to go in and identify malware. You would have to be a malware specialist to go in and look at the lines of code and identify the traits of malware. It could take a human being literally weeks, months, or years to go through a code set to identify the malware. Depending on the complexity of the code, the automated approach that we are taking could take seconds, minutes, or hours. It reduces the time to discover it by literally massive amounts of hours that humans would take down to seconds potentially.

Should you run it quite often? The huge problem is the time it takes to detect intrusion. On average, it takes 14 weeks only to notice you’ve been breached.

Three massive problems that we can solve with our solution. One-time to detection. Two, talent shortage. And three, a skills gap. What we did, we said: we are going to design this in a way that is so very simple and intuitive that even people who don't have those senior malware hunting skills, can be able to go ahead and perform the job that somebody of that title and skillset would have. My teenage daughters could pick up an application, drop it and have it analyzed and simply read the results because it makes sense. The next step would be to give it to the people in the right department to remediate. From a talent shortage perspective, if we are looking at having a 4 million job opening worldwide for cybersecurity talent, you've got to be able to take people in your organization today, close that skills gap because there's literally no way we are going to fill those four million jobs at this point.

Are you accumulating some kind of knowledge about unknown malware?

If we were to scan an application and discover a previously unknown malware type, we would be able to apply that to a signature that you could download and put into your security information and event management systems, and that could be used pervasively across the enterprise. The next step for us is to take that new piece of malware and report it back to the software developer, whether it would be your internal developers fixing it or a supply chain, like a third-party software solution, and letting them know there's a vulnerability. We can also alert our users that this has been discovered.

Should your application replace any existing cybersecurity practises?

We don't currently scan for vulnerabilities like other application assessment tools. We are an addition to those tools because they can only go so far. They only look for the known. So we encourage people at the devsec ops point, where they check their code, to scan for vulnerabilities and check for potentially unknown malware embedded in the code. So even though it's an addition right now, our intentions are within a few releases from now to include vulnerability scanning, so that it could potentially be a replacement of some of those tools that you would have to have in both scenarios.

Could it replace some people, having in mind we are four million cybersecurity experts short?

Suppose you are a hospital, and you don't have malware hunters on board. Still, you have an IT person on board responsible for rolling out a new version of the software that is potentially running their MRIs system. In that case, you could drop the application into CodeHunter, check it first, understand that we didn't discover any malicious behavior happening, and feel comfortable going ahead and deploying that software. Less experienced people will be able to understand whether they are putting something safe in their environment. Very experienced people will understand whether they've missed something or downloaded an open-source set of software code that might have been compromised. Manufacturers who are developing these solutions also use them within their development life cycle before they release their product to ensure that they are not introducing anything risky that could compromise a customer's environment.

From the breaches that you've seen and observed recently, would you say that known malware is responsible for most of them?

The big ones that you saw, like SolarWinds, were completely brand new. Nobody had ever seen it before. It was a very clever attack and would be missed by every solution out there because of how it operated and hid itself. Malware is very interesting. It can be polymorphic, meaning that if you change one tiny little thing, a previously existing signature will be useless. Every change that happens in a piece of malware would have to be assigned to a new signature.

Unless you are catching them and realizing them and making a new signature or hash for it, you just aren't going to know. Malware doesn't tend to be invented from scratch these days. It's usually a variant of another piece of malware, stitched together in a very creative way to obfuscate itself from the current detection methodologies. There are over two billion types of known malware. With it continuously changing itself, there's no way to keep up with it. We needed to make a completely agnostic solution from signature-based and hash-based detection and go based entirely on behavior analytics.