Skip Navigation
BlackBerry Blog

We Are SPEAR

NEWS / 03.26.15 / Brian Wallace

Piercing through difficult problems often requires specialized and agile teams. Here at Cylance, we aim to improve security for everyone. In order to deal with these difficult problems that are outside the scope of our products and services, we needed to make a cutting edge team to puncture deep into the heart of these issues.

Cylance SPEAR™

SPEAR is an advanced research team consisting of Cylance veterans, each with a strong dedication to security. SPEAR is in fact an acronym. It stands for Sophisticated Penetration, Exploitation, Analysis, and Response.

The mission of SPEAR is simple and direct: Do what is needed to improve security. We will be doing this in a number of ways. By conducting security research, and publicly releasing the results and relevant tools, we hope to make it far more difficult for threat actors to operate.

What We Do

We found it peculiar that most security research teams, such as the talented Project Zero, primarily focus on finding vulnerabilities in applications. While we will also have some focus on identifying vulnerabilities, we are not limiting ourselves to it. For instance, one of our launch projects identifies an artifact in .NET assemblies that can be used to speed up the identification and analysis of malware.

Launch Projects

We wanted to launch Cylance SPEAR with a bang, and we have done so successfully. Our primary launch project is the discovery of a critical vulnerability in a visitor based network gateway device which allows for full read and write access. This device, developed by ANTLabs, has been found operating at 277 publicly routable IP addresses, many of which belong to affluent hotels as well as well known data centers. By responsibly disclosing this issue, we have hopefully thwarted the disastrous consequences of such a powerful bug.

As mentioned previously, we also have a project released that some what breaks the norm of security research teams. This project identifies multiple GUIDs which are of use to malware analysts and could potentially used as IOCs for detecting malware. One of the GUIDs, the typelib ID, is created by Visual Studio when a new project is created, and is actually placed into the source code in the AssemblyInfo.cs file.

Unless removed, this GUID can be used to identify any builds of the project. This allows for identification of the malware even across different versions, obfuscations and potentially across variants. The other GUID represents the build. By combining these GUIDs, a malware analyst will be able to quickly identify families of .NET malware and even identify samples that were modified after they were compiled.

Previous Projects

The SPEAR team is full of talented members who have not been adverse to success in the past. To give an idea of what kind of research we have done in the past, the following are all products of SPEAR team member research.

  • Operation Cleaver Investigation
  • RuggedCom backdoor
  • Numerous vulnerabilities disclosed

Wrapping Up

Cylance SPEAR is an advanced research team out of Cylance. I suggest you keep an eye on us, because we have some interesting research out and interesting projects underway. To be fair though, I am a bit biased as a member of the team.

Brian Wallace

About Brian Wallace

Lead Security Data Scientist at Cylance

Brian Wallace is a data scientist, security researcher, malware analyst, threat actor investigator, cryptography enthusiast and software engineer. Brian acted as the leader and primary investigator for a deep investigation into Iranian offensive cyber activities which resulted in the Operation Cleaver report, coauthored with Stuart McClure.

Brian also authors the A Study in Bots blog series which covers malware families in depth providing novel research which benefits a wide audience.