Greetings from the RSA security conference in San Francisco! This is the Codebook cybersecurity newsletter.
Illustration: National Security Agency
The NSA will release an agency-designed tool to research malware as a free-to-the-public, open source program.
The big picture: The NSA program, known as GHIDRA, is a reverse engineering tool that takes malware and returns the source code used to make it, which otherwise remains inaccessible. That enables researchers and security pros to understand, attribute and even counter the malware.
Why it matters: This small move could be widely disruptive.
GHIDRA will become an open source project, meaning any software developer can use it, modify it and contribute code to help improve the product.
The impact: To the NSA, the move offers a number of advantages.
To answer your least pressing questions: GHIDRA is pronounced "Gee - dra," according to NSA official Rob Joyce, who will be presenting the tool to the RSA cybersecurity conference for its official release later Tuesday. We asked.
It took companies 3–4 weeks less time to discover they had been hacked in 2018 than in 2017, according to a report from the security firm FireEye, dropping from 57.5 days to 32 days.
Yes, but: Attackers still have a real advantage. 32 days is still a long time given how quickly hackers can move from a single breached account to controlling large swaths of a network.
Also: Advanced persistent threats (APTs) are getting more persistent, according to the FireEye report. APTs — a jargony name for advanced nation state attackers — revisited more recent victims in 2018 than 2017.
Chronicle, the security firm owned by Google parent Alphabet, launched its flagship security product Backstory at an unofficial RSA event Monday.
The big picture: Backstory provides a quick search and analysis technique for organizations to find the order of events leading to a breach, taking data from a variety of security products and archiving how user accounts interact with the internet (including sites used by malware to upload stolen data).
Why it matters: While this isn't Chronicle's first product — Chronicle runs VirusTotal, a researcher clearinghouse for malware that Google purchased in 2012 — it is the first mass-market product for the company and the first conceived in house.
The intrigue: Many, including journalists at the launch event, expressed concern about privacy aspects of the program, given the cloud-based design of Backstory and Google's history of analyzing data users provide it.
The companies in the beta test of Backstory included Siemens and the security firm Carbon Black, whose own data analyzing security tool can integrate with Backstory.
Kim Jong-un. Photo: AFP/Getty Images
North Korea appears to have helmed a hacking campaign previously identified as "Operation Sharpshooter," according to a new report from McAfee, who first reported on the attacks in December.
The big picture: McAfee originally believed the attacks showed so much evidence they were from North Korea that it might indicate a different actor trying to frame Pyongyang. But the company's researchers now say that analysis of code and data from an intermediary server indicates the attacks really did originate from North Korea.
Details: According to the new report, the Sharpshooter campaign dated back to at least September 2017, a year earlier than was previously known.
Other interesting notes from the report:
Codebook will be back on Thursday.