Research

As we discussed in the last post, detecting today’s advanced malware requires more than just looking at the file (the classic AV technique) – we now also need to leverage behavioral indicators. To make things more interesting, even suspiciuous behavior can be legitimate in certain circumstances. So for accurate and effective detection you need better context on what the code does, where it came from, and who it came from, in order to reach a reasonable verdict on whether to allow or block execution. What happens when you don’t have that context? Let’s jump into the time machine and harken back to the early days of host intrusion prevention (HIPS) and HIPS-like products. They ran on devices and scanned for both attack signatures and behaviors that indicated malware. Without proper context, these controls blocked all sorts of things – involving scads of false positives – and generally wreaking havoc on operations. That didn’t work out very well for organizations which actually needed their devices up and running, even if that imposed a cost in terms of security. Go figure. But the concept of watching for attacks on devices is solid. It was more of an implementation problem; nowadays additional context reduces false positives, increases accuracy, and limits disruption of operations – all worthy goals for a control to manage new attack vectors. So let’s dig into a few data sources (beyond behavioral indicators) that can help identify bad stuff. From Where: the Dropper In the last post we mentioned that malware writers use droppers to gain a presence on devices, and then download current and/or additional attacks, instead of attempting to get the entire malware on the device as part of the initial compromise. Of course droppers are malware just as much as anything else else, but they morph more frequently, which makes initial detection difficult. And as we described in Malware Analysis Quant, the only thing worse than being infected is getting re-infected by the same malware. So profiling malware droppers enables you to search for these files in your environment. By tracing the path of those droppers you can identify devices which have been compromised but not yet activated. The key to this effort is analysis of data about which files are on which devices; when a file is discovered to be bad, if you have the data and analytics in place it becomes easy to determine which devices have the bad file installed. Of course this is still a reactive effort. But the presence of a dropper (or similar known bad file), combined with any other bad behavior, is fairly damning evidence of a compromised device. Tracing the droppers back far enough points you to the origination point of the malware; eliminate any vestiges, and you can prevent reinfection. Who Dat: Reputation The other useful source for detecting advanced malware is the reputation of a file, sender, or IP address. Initially developed to improve the effectiveness of anti-spam gear, reputation has emerged as a fundamental aspect of every vendor’s threat intelligence offering. The larger security vendors have access to considerable amounts of data from hundreds of millions of installed endpoints and network devices; they mine their datasets to determine which files, devices, and network addresses tend to do bad things. This is all an inexact science – especially in light of the simplicity of morphing a file, spoofing an IP address, or fiddling with a device fingerprint. You need to expect advanced adversaries to look like something innocent, even when they aren’t. You cannot afford to rest your malware-or-clean verdict strictly on reputation – but you can use it as a supporting data source, for additional context when analyzing a possible attack. Of course malware writers don’t make it easy to figure out what they are doing. Your best bet is to assemble as much data as you can, analyze what’s going on within the device (behavioral analysis), and combine with data from outside sources to judge the nature and intent of code running (or attempting to run) on your devices – this at least gives you a fighting chance. So far we have focused on analysis and detection, but detection doesn’t help without a mechanism to actually block attacks once they are detected. So we will wrap up this series next week, with an assessment of the different classes of security controls that can leverage this context data to block specific attacks. Share:

It was bound to become blindingly obvious sometime. The ruse of anyone accurately tracking market share in any market has been a running joke for as long as I can remember. I guess some folks do argue with the so-called market share numbers, like McAfee recently did, but it is usually attributed to sour grapes for those with crappy numbers. I’d say that market share doesn’t matter for end users, but in reality it’s safer to go with a vendor with a large market share. And in today’s tough business environment, very few are willing to be unsafe. Clearly these numbers matter for vendors. Many bonuses, marketing campaigns, and marketing/sales jobs hinge on these numbers. You can bet that someone at McAfee has a ton of road rash, especially if the reported share numbers are wrong. And I feel for those folks because I have personally been on both ends of the market share reporting game, and it’s always unpleasant. Why? Because the numbers are basically made up. Okay, not totally made up – in mature markets vendors dutifully report revenues and units to the analysts. But there are times when vendors don’t tell the entire truth. Or manipulate the numbers. Or obfuscate reality. Or all of the above. Let me tell a little story. Back when I was in the email security business, these numbers mattered a lot internally to my company. Our perceived leadership allegedly got us on the short list for many deals and allowed us to claim market success, which begat more business success. So when we got a preliminary report from a number-crunching firm showing our main competitor gaining share rapidly, alarm bells sounded everywhere. And it was my job to fix it. But I couldn’t make our product sell faster. Nor could I combat unsavory sales tactics by the competition. But I could manipulate the market share reporting process. Or at least try. The statute of limitations is up on this deal and none of the folks involved in the travesty are still in their current jobs, so I finally feel comfortable spilling the beans. Basically I made a call to the analyst wondering if he considered that the competitor sold both email sending devices and anti-spam devices. I mentioned that we had heard 1/3 of the competitor’s business was the spam cannons, and the remainder email security gear. When I said “I heard,” I really meant “I hoped” because it wasn’t like the competitor sent me their quarterly numbers. I didn’t turn the screws or threaten or anything like that. I just mentioned it in a simple conversation. Just food for thought for the analyst. I was pleasantly surprised when the final report came out and the competitors’ alleged revenue was reduced by 1/3. Really! I couldn’t believe it worked, but it did. To be fair, there is a chance I was right about the competitor’s revenue mix. Maybe the analyst figured out a way to confirm the sales data. Maybe the vendor came clean when the analyst pressed (assuming they did). No, I don’t think so either. Why do I tell this story, especially given that it doesn’t make me shine? Like most folks, I have done things I’m not exactly proud of. So part of this is cathartic, but I also tell the story because you need to keep these numbers in context. If you buy a product because you think a company is a market share leader, you aren’t too bright. If you don’t buy a product because the vendor is a niche player, same deal. Market share reporting is a game, just like vendor ranking quadrants. Some genius figured out how to extort money from the participants in a market to prove they are good companies. And it’s not just technology markets where these shenanigans happen. It’s pretty much every market. Don’t think that public companies play fair in this game either. Revenue allocation games can be played to make certain products look better. We all know some vendors give away products they want to look better in market share rankings as part of much bigger deals. As Adrian said when I floated a draft of this post by our extended team, “when bullsh** meets bad math, it’s the customers that lose.” That’s really the point. Do the work and figure out what makes sense for your environment. Tools like quadrants and market share grids can be used to justify a decision you have already made. But they shouldn’t be the basis for decisions you haven’t made yet. Share:

A while back we ran a show-of-hands survey at a conference of senior IT security pros. Nearly none of them wanted to support iOS, but nearly all of them needed to support iOS. Which did seem odd, considering how many were using iPhones. The good news is that although we can’t manage iOS the way we have traditionally managed most of our other employee systems, the platform itself is a lot more secure than most of the other things you are using. I know, you don’t believe me, so just read this paper. We also have plenty of options for protecting data going to the device, and once it’s on the device. This is the part that tends to be a bit more complicated, with a very wide range of tools and approaches, but all the things we review in this report are realistic and working in production environments. Hopefully this report simplifies things a bit, and as far as we know it is the only place someone has compiled all the options in one place, plus provided a neutral perspective on capabilities and usefulness. So take a look: Landing Page Direct link to the PDF: Defending Data on iOS (v 1.0) Special thanks to Watchdox for licensing this content so I can feed my kids (well, the one who bothers to eat). As always the research was developed completely independently and published on this blog for peer review throughout the entire process, in accordance with our Totally Transparent Research process. Share: