Interview of Benoit Grunemwald, Director of Operations, ESET

Can you provide some figures about ESET?                           

Since 1997, we have included artificial intelligence in our solutions to address and classify 300 000 new threats per day entering our cyberspace. We have over 100 million agents deployed with our clients worldwide. ESET has tripled its research staff to counter the constantly growing cyber threat.

 

Why is Threat Intelligence a topic for Les Assises?

Threats are evolving and their numbers have been constantly growing in recent years. Infection and post-exploitation tools are also changing constantly, which is why we feel that threat intelligence is essential for good risk analysis in order to take into account the tools currently used by these threats. These tools detect intrusions, collect information during the intrusion and can be used subsequently to predict an attack similar to previous ones by identifying the "tools, tactics, and procedures" used.

 

How do you share the IOCs collected by your agents?

Through people. We cooperate with the police and cybersecurity forces for national security obligations or to protect sensitive infrastructures, but also with trusted companies and partners.

 

What do you think of initiatives like ThreatConnect and IBM Xforce that allow free sharing of IOCs?

By sharing IOCs, we hope they will be spread more quickly to fight threats. However, diffusion doesn’t necessarily mean integration. IOCs serve no purpose if they are shared but not integrated in detection tools. Theoretically, they make life more difficult for attackers. But if these IOCs are public, they’re also available to attackers, who can see if their malicious actions have been detected.

 

What are the different “types” of Treat Intelligence?

I think there are three levels of Threat Intelligence:

-        Open Door: That is, all the information made available free of charge to the public for protection

-        Threat Intelligence in companies: protecting ourselves against recurring attacks in our sector

-        Attacker Threat Intelligence, with a pre-attack reconnaissance phase, and possibly a victim Post-attack phase. Some of the tools most commonly used by attackers in reconnaissance are social media, as well as search engines like Shodan and even Google.

 

What do you think of AI in this area, and do you use it?

Depending solely on artificial intelligence without training people is dangerous. Artificial intelligence is a weapon, but a double-edged one. If people aren’t involved in steering or creating it, it’s just one tool among many. When marketing talks about AI, we imagine it controlling the world, but that’s not yet the case. ESET has been using AI since 1998, specifically in recurring neural networks and in a group of six classification algorithms.

 

What is the most interesting malware you’ve been able to analyse?

We’ve published a report on malware called GreyEnergy. It is the successor of the malware that targeted power plants in the Ukraine.

Lojax is a UEFI malware that we have succeeded in analysing and detecting in our laboratories. It is one of the first to be found. https://www.welivesecurity.com/fr/2018/09/27/lojax-premier-rootkit-uefi-sednit/

 

Concretely, how does the antivirus engine do program analysis?

Detection of the use of an obfuscator or packer is generally the first clue that raises the suspicion level. The footprint of a program is irrefutable evidence to determine if it is known malware. To detect an unknown threat, the antivirus uses a set of tools to extract clues and markers serving as "evidence". By crossing this evidence, we can assign a "score" to the program in question. This concept is very similar to a police investigation, where the clues raise suspicions and the footprint of known malware is irrefutable evidence. Too many suspicions may lead to blocking for security reasons.

 

What do you think is the most memorable cybersecurity headline of 2018?

The maturity of Threat Intelligence. A decade ago, it was not possible to expect to sell markers, and even less for large companies to expect to buy them.

Executive committees have to focus on cyber risks. Traditionally, companies have faced natural, competitive or political risks. However, the latest major attacks have shown that cyber risks, whether one is targeted or affected as collateral damage, have consequences on business operations. This analysis has to be done at all company levels.

Latest publication

Back to Les Assises 2018 with a series of questions and answers from Benjamin Delpy, head of the Security R & D Center of the Banque de France and creator of mimikatz.

Read more