Software Worth Sharing
OUR SECRET SAUCE FOR CYBER THREAT DETECTION
Three years ago, Adam Zollman and a team of analysts at Lockheed Martin rolled out a new internal tool designed to protect company servers and email accounts from malicious software.
Given the company’s long history in cyber software development—often for large government agencies and commercial organizations—it made sense that the tool would be good.
But soon, Zollman and the team realized it’s more than just good—it’s powerful.
After testing extensively, collecting tons of data and introducing a few evolutions, the team is now sharing the software, named Laika BOSS, with the cyber security community at large.
BEHIND THE SCENES
Cyber analysts work endlessly to out-innovate cyber criminals on a daily basis. Oftentimes, this means creating solutions where none exist in the open marketplace.
The original project behind Laika BOSS was to create a custom scanning capability to detect and block malicious email without having to go to a vendor to get a feature implemented. Defenders needed a flexible platform to allow them to quickly adapt and stop malicious software before it was delivered to employees in hidden files.
While Laika BOSS initially inspected just email when it went live in March 2012, it has since been expanded to cover other potential methods for delivering malicious software. Only six months later, Laika BOSS was scanning HTTP web network traffic as well.
“Laika BOSS runs independently of collection—it applies the same module workflows and detections regardless of where the files come from,” said Matt Arnao, a cyber intel analyst at Lockheed Martin. “The flexibility of the platform allowed us to converge our detection capabilities for HTTP and email into a single system.”
APPLYING INTELLIGENCE TO DATA
Laika BOSS is continuously evolving and being refined by analysts like Zollman and Arnao. It started with only 20 modules and today there are over 100.
Each module has a very unique job—for example, one job might be to extract a zip file. They only need to perform small tasks because Laika BOSS chains the modules together into flexible pipelines. These modules are only activated when they are needed.
This is one of the things that makes Laika BOSS unique—it’s file centric, meaning Laika BOSS focuses on files no matter where they come from or where they might be hiding. For instance, malware can come packaged in an email, PDF or web download. Each file is extracted and treated appropriately according to its type in order to discover new files, some of which may be malicious.
Laika BOSS is not the first of its kind, but it is the next generation of an open source cyber security platform. What makes it different from anything currently on the market—either open source or commercial—is its scalability. Its modular system can be easily extended to adapt to new data sources and new threats, analyzing any file type to break it down into parts that are then scanned for malware. It does this automatically because analysts are able to write predefined workflows.
Lockheed Martin analysts call it, “Write once, run everywhere.”
Cyber criminals don’t sleep, and neither does Laika BOSS. While any open source platform is not helpful without analysts on the other end, they can’t be working 24/7. Automation means our data is protected even when analysts aren’t in the room.
OPENING THE DOORS
The Laika BOSS software is designed to take files and break them down to look for indications of malware, allowing analysts to focus on more interesting problems.
“The mechanics of moving data around was taking a lot of time,” Zollman said. “The framework automates that for us; it allows analysts more time to look at data and find the source of the malware.”
As a community, cyber analysts have collectively taken it onto themselves to share information with their peers, bringing together the best cyber analysts in the world to improve our collective cyber defenses. As that community has continued to grow, so has the rise of open source tools that reinvent what it means to work together.
Laika BOSS may just be the next step.
After revealing the software at the Black Hat cyber security conference, the team hopes to form a community around Laika BOSS that can address common threats and challenges. Learn more >>