The highly sophisticated cyber-surveillance campaign known as Regin was revealed by Kaspersky Lab and other security vendors in late November. It immediately sparked an intense discussion. Some very well respected technology experts claimed the “AV industry” (but not us directly) disclosed the Regin campaign way too late, and that the industry should make an effort to publish its findings as soon as new complex malware is discovered.
Our industry doesn’t work like that, and my colleagues from the Global Research and Analysis Team explain why in this blog post.
We should focus on another important statement made during this debate:
We start protecting our customers from complex threats as soon as we discover them. Complex research and disclosure of the new findings is a key part of our work, but it serves different purposes.
Peculiarities of saving the world
At Kaspersky Lab we always say that our goal is to save the world. We are not just a for-profit security software vendor. We also do our best to make the cyber environment a better place. If we talk about a resonant, high-profile act of cybercrime, “saving the world” part is when we disclose our research. Blocking such threats and developing new methods to prevent future attacks of similar types fulfills our obligation to our customers, who pay us to protect them from all kinds of malicious activity.
How to protect your clients and save the world at the same time. #savetheworldTweet
In fact, it is not a problem to detect and block a malicious program once it has been discovered and deemed malicious either by our automated system or manually by a security expert. Information on certain types of threats could be delivered to our clients minutes after discovery via the cloud-based security network. On the contrary, it sometimes can take years to understand how a complex malicious campaign works by collecting and analyzing different pieces of code taken from infected machines, command and control servers, etc.
The purpose of complex research
If we are able to detect and block threats, even highly sophisticated ones, almost immediately after discovery, why even bother with further research? It is true that the majority of regular malware, developed by the “traditional” cybercrime world, is blocked automatically. But when it comes to a complex campaign backed by vast human and financial resources, we can’t just “detect and forget”. We have to find out what new methods of attack were used and adjust our protection accordingly.
Due to the nature of complex cyberweapons, there is a high chance that new cybercriminal technology will be used in subsequent attacks. Quoting Kim Zetter from her book on Stuxnet: “Every cyberweapon carries the blueprints for its design embedded within it”. By limiting ourselves to blocking one specific malicious program we make our customers vulnerable to further attacks using similar methods.
Blocking #malware takes minutes, understanding it takes years. #securityTweet
So what is the goal of researching highly sophisticated malicious campaigns and publishing the results? The research allows us to develop innovative protection technologies that allow us to block new threats even faster (or, if automated systems are used, instantly). Sharing our expertise benefits the industry (especially when it comes to complex threats that require mutual effort from many vendors), and allows businesses around the world to adjust their security policy based on the new findings.