As researchers or cybersecurity professionals, we often use tools that other people wrote. Like… Ghidra, ClamAV, snort, tcpdump, wireshark… I could go on for a while but I’ll stop.
We also trust data other people give us. Like proofs of concepts of exploits, or vulnerabilities, or even malware. There’s malware repositories available on github for anyone to access. I’ve used them for research. The vulnerability database at NVD (https://nvd.mitre.org) is available for anyone.
This is definitely a good thing. It makes the field more open and accessible. It lets us respond quickly to new threats, allows us to do research on older threats, and generally helps all researchers and practitioners in the field.
However… (of course there’s a however)… when we download the tool or exploit we’re trusting that it isn’t malicious.
Unfortunately, that hasn’t always been the case. Earlier this year a campaign where hackers targeted researchers through tools was reported
Yes, your tools were suspect. Which goes to the question, is the data suspect as well? I often rely on others to collect data for me, the decisions made in the data collection can change the results of my research, but since I don’t have access to everything possible on the Internet, I have to rely on it. Is it possible that the data has been modified? I can imagine a situation where a malicious actor poisons a data set to achieve their aims.
Trust, but verify. We trust that the software we receive from a malware repository is malware, but we shouldn’t. We trust that the set of domains received from another repository is either malicious or not, depending on the repository. We trust…
But we shouldn’t.
We should always verify our sources and the tools, so we don’t get caught in a rickroll. (That isn’t a rickroll, I promise, but a write up on a PoC that used one.)
It can affect your research and the results of it if you aren’t sure of the tools or the data. We want replicable research and repeatable results, so trust… but verify.