Threat Kinetics: The Arms Race Between Black Hat and White Hat Developers

May 8, 2015
| |
3 min read

There is a recent trend in the cybersecurity field that could significantly change the landscape of threat detection analytics. Historically, technologies have been focused on threat kinetics, which identify the threat as it exposes itself within a network. For example, a threat may be identified by an IDS rule based upon connection metrics, signatures and file hashing. If the threat has already infected a site, it may be identified by sandboxing or executing the threat on a virgin host. Infected systems may also be detected by discovering beaconing traffic or command-and-control communications. Essentially, the threat is identified inside your network by analyzing the attributes that expose it.

There is a constant ebb and flow of techniques and countertechniques to detect and hide threat kinetics. Dark malware developers can detect an install on virtual hosts and change it to a benign install, thus hiding the malware kinetics from the sandbox. Next-generation sandboxing will attempt to use thousands of low-cost bare metal systems to thwart the detection of a virtual host. The dark developers will simply implement methods to test if this is a “production system” by analyzing configuration files, accounts, system caches, file caches and more.

The use of threat kinetics to identify malware will continue to be an arms race between black hat and white hat developers. As long as the landscape of new hardware, new software and poor application programming continues, the thrust and parry of this battle will continue. Threat kinetics is a necessary component of security but not an answer in itself.

Identity Kinetics: The Evolution of Threat Kinetics

Although analogies are usually the worst form of argument, one can be made between a common criminal and an attempt to infect a foreign host with malware. If a criminal is planning to break into a building, he or she may purchase some tools, hide behind a mask or wig and rent a car using a false identification, all in an attempt to disguise his or her true identity.

The same is true for any electronic threat. Attackers conceal themselves using IP spoofing, MAC spoofing, tunneling, proxy indirection, ambiguous domains, embedding brands within domains and domain/IP fluxing. We can refer to these techniques as identity kinetics. These are methods used by attackers to disguise themselves both to the intended target and to outside parties that may track and identify them. New technologies and methodologies are being developed to expose attackers as they are disguising themselves. This has a crucial added benefit since the detection could occur outside your network prior to the attack.

Upstream Identification

Suppose hackers are attempting to disguise the originating IP address of an attack. They might use IP tunneling or a product like Tor with multiple proxy hops to block the actual host of the attack. Imagine identifying a session that is obfuscating the address origination and then supplementing this with additional identity metrics such as geolocation to determine suspicious traffic with a high degree of confidence. The ability to identify potential threats “upstream” using identity kinetics significantly changes the landscape.

Exposing DNS Resolutions

Threat kinetics relies on metrics gathered inside a network, while identity kinetics depends on information gathered externally. Databases that can collect real-time information for use toward identity analytics are emerging. One form of these databases can provide information that exposes a significant portion of DNS resolutions. In fact, they claim that they see 45 percent of all DNS transactions taking place on the Internet, using a web of distributed probes and aggregating the information to a centralized host.

Exposing DNS resolutions and assembling the results allows external security metrics to be applied, which can assess the risk associated with those domains. Any newly observed domain should be associated with an elevated risk. If we observe a domain and link it to other attributes in aggregation such as IP fluctuation, geolocation and event-based scanning, we can determine the risk score of that domain prior to any active threat. In fact, we could actually watch a threat emerge as it happens.

Correlating Security Assessments

We have long talked about trusted systems, trusted authorities and who trusts whom. The complexity of the system and the fact that a trust value gets associated with an entity only assures that eventually a trusted system will become corrupt. Trust is relative to an entity and not absolute within an ecosystem. Take, for example, the correlation of trusted domains, copyright information and newly observed domains into a single security assessment.

Assume that we can proclaim we trust ourselves and nobody else. Then also assume that there are copyright assets associated to any entity, such as registered domains and copyright labels. IBM is a registered domain and has copyright labels such as Watson, Q1Labs, X-Force and others. Now imagine any copyright embedded in an untrusted domain, such as the fictional This domain should be flagged as highly suspect, especially if you assert DNS age and DNS flux attributes. Embedding a trusted copyright with an untrusted domain, accompanied by real-time DNS attribution, is another example of threat detection using identity kinetics.


The movement of threat kinetics methodology to identity kinetics is rapidly advancing, and there are many companies pursuing this avenue. It is not hard to imagine that soon the real-time analysis of the Internet will be extended to HTTP traffic-sharing flow information.

Russell Couturier
CTO Security Intelligence, IBM

Dr. Couturier has been the successful founder of the three internet security companies and a technology leader in the forensic and security intelligence spac...
read more