Intellectual Property at Risk

Posted on by Christopher Burgess

Walk about your office and ask your employees, "Are you appropriately protecting the company's intellectual property (IP)?" Count how many responses resemble, "Oh, I don't have access to any IP, I work in XYZ department, not R&D." Such answers cause cringes at every level, as it demonstrates multiple points of failure: failure to enlighten the workforce that IP involves so much more than just R&D and patents, and failure in security education as to the responsibility of all to protect the company's assets.

Indeed, your company's secret sauce, otherwise known as trade secrets, is also IP, perhaps among the most valuable pieces of IP a company can own. Coca-Cola, for example, has a secret recipe for their beverage, which has had many attempts at being purloined over the years; similarly, other companies have their playbooks and stratagems for market differentiation. These too are defined as your IP.

The presentation of Marion Marschalek (IKARUS) and Mike Kendzierski (SHOSHN Ventures), "Malware Under the Hood: Keeping Your Intellectual Property Safe" and this writer's "How to Discover if Your Company's Files Are on a Hacker's Shopping List" both looked at the targeting of intellectual property by a potential adversary, from identification and rationale for orchestrating a theft through to the attack and investigatory remediation.

The latter presentation discussed investing effort in reviewing nation-state and competitor program investment. Doing so will go a long way toward determining if your technology or knowledge is on an adversary's shopping list. Similarly, if your information is supporting a defense or intelligence customer or is on a list that proscribes the export of your technology or knowledge, you may fast-track to the assumption you are in an adversary's target pool. And like water, criminals will follow the path of least resistance in pursuit of IP deemed desirable and identified for acquisition. In this regard, your choice is to sit back and wait or harden and take proactive measures to disrupt the technical acquisition.

The Malware Kill Chain

Marschalek and Kendzierski explained how an understanding of the malware kill chain provides every entity multiple opportunities to disrupt the theft of their intellectual property. You should have measures in place to disrupt any of these links in the chain:

  • Lure: Enticing an individual to take an action or causing an action to be taken via a sequence of events. These may be as complex as crafting a one-off inducement that is personally handed to the target for placement in their network/system or as simplistic as sending out a wide-area spam to a purchased list of emails associated with your country.
  • Exploit: The landing of the initial piece of malware. It may be as little as a 20 kb "dropper" or a full-on piece of code designed to self-replicate and spread.
  • Infection: The landing and tethering into your system(s).
  • Call home: The malware communicates back to the entity controlling the theft.
  • Steal data: Once the command, control, and acquisition cycle has been confirmed, targeted information is then lifted and exfiltrated.

The organizations that can detect and disrupt the discrete portions of the malware kill chain give themselves a leg-up in the protection of their IP.


To take a phrase straight from Marschalek, "'Advanced' and 'sophisticated' are terms we use when we don't completely understand something." She and Kendzierski continued, "Understanding is the first crucial step towards protection!" It is incumbent upon us to understand our ecosystems, to understand where our data resides, and attempt to understand who and what entities may be targeting your information as a shortcut to satisfying their own needs. Intellectual property is every company's life's blood—protect it; the job you may be saving is your own.

Christopher Burgess

, Prevendra Inc.

law anti-malware threat intelligence

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs