Cyber reversing is a new term mutually agreed upon at cytomate. Cyber reversing revolves around the practice of reverse engineering for cyber security enhancement. It is a next generation offensive framework introduced by Cytomate that includes a variety of procedures and techniques revolving around reverse engineering. Our years at cytomate have taught us that the real adversarial emulation starts at the lowest level, that is assembly and reverse engineering. Highly skillful hackers nowadays always try to aim for customized attacks and unknown attack paths mostly discovered by researching vulnerabilities. One thing to note here is that there is a big difference in finding vulnerabilities and researching vulnerabilities. Finding vulnerabilities means we are looking for known vulnerabilities in a system, however researching vulnerabilities means that we are researching unknown vulnerabilities that might be available in a system.
Cyber reversing can be defined as:
“The art of using reverse engineering for the purpose of securing the cyber world.”
Cyber reversing consists of two main modules:
- Advanced Penetration Testing (APT)
- Advanced Program Analysis (APA)
Why advanced penetration testing?
Advanced penetration testing or APT uses a combination of very advanced techniques for penetrating a system. The purpose of advanced penetration testing is to find and mitigate unknown attack paths. With reverse engineering as our focus, we try to find and exploit vulnerabilities at the lowest level that are hidden from intermediate level security people and only highly skillful hackers and very experienced infosec experts can find. We cannot counter a highly skillful attacker if we don’t reach his level.
How is advanced penetration testing different from normal penetration testing? This is a frequently asked question, and the answer is very easy. Advanced penetration testing finds and mitigates unknown attack paths and attack vectors, and penetration testing is the use of existing tools and techniques to find known attack paths and vectors.
“…We define Advanced penetration testing or APT as a combination of very advanced techniques that use the art of reverse engineering as its core basic principle for security testing and penetration…”
Let’s try to understand the difference using examples. Consider a scenario in which an organization xyz requires a penetration testing report. We use the existing techniques of phishing, bruting, vulnerability assessment and existing tools like cobalt strike, Metasploit, GoPhish and others with existing attack vectors to try to get into the system of an organization. If successful, then this exercise reveals misconfigurations, unpatched vulnerabilities and attack paths or vectors that need to be mitigated. But what if an organization has configured everything right, kept up-to-date systems with expensive security controls and still got hacked? An example is of CVE-2021–40444 mshtml remote code execution vulnerability, a zero-day vulnerability that was weaponized to target systems having Microsoft Office installed in them. In this case, the organization cannot defend itself against such an attack. Now let’s see how advanced penetration testing is different from penetration testing. If the same xyz organization had invested in advanced penetration testing then the approach would be to reverse engineer and do vulnerability research on applications that the organization is highly dependent on, for example MS Office. The found vulnerabilities were then weaponized and tested in a red teaming practice to see how much deeper we can penetrate in an organization in a totally anonymous way, just like hackers. After the whole exercise is completed, we would tell the organization that they are vulnerable to highly skilled hackers and the attack paths or vulnerability that we discovered in the exercise would be immediately patched before publicizing the vulnerability. This makes hacking harder for hackers, which is the ultimate goal of advanced penetration testing.
A side by side comparison of penetration testing with advanced penetration testing can be seen in the table provided below. Advanced penetration testing is a very resource exhausting and time taking process but it is beneficial for bigger organizations.
Why advanced program analysis?
The need for advanced program analysis arises when a security sensitive organization is dependent upon a third-party software product. Let’s consider a scenario where some military organization is dependent upon closed source software. How to check the integrity of that software? How to check if any malicious code or some kind of backdoor has been added in that software? We need advanced program analysis for that. A complete analysis of the software binary which would reveal if anything malicious is hidden inside, however this process is a very tedious and time-consuming because to analyze a software with multiple binary files (exe and dlls), a whole team of reverse engineers would have to go through thousands of malicious functions at the assembly level which could take months and even a year to complete, which left a gap in the industry where advanced program analysis could be fasten up?
Cytomate is introducing autonomous cyber reversing for backdoor detection at this level. We are using artificial intelligence for function-level classification of benign and malicious functions which redirects a reverse engineer in the right direction and filters out suspicious functions. Example, if a software binary contains 70 thousand functions, our autonomous cyber reversing would filter out suspicious functions from 70 thousand to a few thousand only and then our reverse engineers would analyze the remaining suspicious functions to check the integrity of the software binary. This approach is a semi-supervised machine learning approach which would drastically reduce the time and resources used in analysis of software binaries.
“…We define Advanced program analysis as a field where reverse engineering is employed to identify malicious behavior (backdoors) in benign binaries with the help of Artificial Intelligence.”
Another use of advanced program analysis includes malware analysis, which demands when a highly sophisticated malware sample is caught. We reverse engineer it, do complete analysis on it, find if any zero-day has been used or not? And finally, we extract TTPs (tactics, techniques, and procedures) from that malware which are recreated again for testing purposes.
Reverse engineering is a very powerful technique in the hands of black hat but it can be even powerful in the hands of white hat people. This article shows the significance of reverse engineering in infosec and why we are more focused towards reverse engineering that we are launching a whole service based on it which we call Cyber reversing.
“Complete transparency in every closed source binary”
Shayan Ahmed Khan,
Reverse Engineer, Cytomate