Evidently this is the month of anti-malware research for us – I’m adding to the Malware Analysis Quant project by starting a separate related series. We’re calling it Network-based Malware Detection: Filling the Gaps of AV because that’s what we need to do as an industry.
Current State: FAIL
It’s no secret that our existing malware defenses aren’t getting it done. Not by a long shot. Organizations large and small continue to be compromised by all sorts of issues. Application attacks. Drive-by downloads. Zero-day exploits. Phishing. But all these attack vectors have something in common: they are means to an end.
That end is a hostile foothold in your organization, gained by installing some kind of malware on your devices. At that point – once the bad guys are in your house – they can steal data, compromise more devices, or launch other attacks. Or more likely all of the above. But most compromises nowadays start with an attack dropping some kind of malware on a device.
And it’s going to get worse before it gets better – these cyber-fraud operations are increasingly sophisticated and scalable. They have software developers using cutting-edge development techniques. They test their code against services that run malware through many of the anti-malware engines to ensure they evade that low bar of defense. They use cutting-edge marketing to achieve broad distribution, and to reach as many devices as possible. All these tactics further their objective: getting a foothold in your organization. So it’s clear the status quo of anti-malware detection isn’t cutting it, and will not moving forward.
The first generation of anti-malware was based on signatures. You know: the traditional negative security model that took a list of what’s bad and then looked for it on devices. Whether it was endpoint anti-virus, content perimeter (email, web filtering) AV, or network-based (IDS/IPS), the approach was largely the same. Look for bad and block it. Defense in depth meant using different lists of signatures and hoping that you’d catch the bad stuff. But hope is not a strategy.
The value of pattern matching
You may interpret the previous diatribe as an indictment of all sorts of approaches to pattern matching – the basis of the negative security model across all its applications. But that’s not our position. Our point is that these outdated approaches look for the wrong patterns, in the wrong data sources. We need to evolve our detection tactics beyond what you see on your endpoints or on your networks. We need to band together and get smarter. Leverage what we see collectively and do it now.
It’s an arms race, but now your adversaries have bullets designed just to kill you. But a bullet can only kill you in so many ways. So if you can profile these proverbial ways to die you can look for them regardless of what the attack vector looks like. Here’s where we can start to turn the tide, because all this malware stuff leaves a trace of how it plans to kill you.
Maybe it’s where the malware phones home. Maybe it’s the kind of network traffic that is sent, its frequency, or an encryption algorithm. Maybe it’s the type of files and/or the behavior of devices compromised by this malware. Maybe it’s how the malware was packed or how it proliferates. Most likely it’s all of the above. You may need to recognize several possible indicators for a solid match. The point (as we are making in the Malware Analysis Quant project) is that you can profile the malware and then look for those indicators in a number of places across your environment – including the network.
We have been doing anti-virus on the perimeter, within email security gateways, for years. But that was just moving existing technology to the perimeter. This is different. This is about really understanding what the files are doing, and then determining whether something is bad. And by leveraging the power of the collective network, we can profile the bad stuff a lot faster. With the advancement of network security technology, we can start to analyze those files before they make their way to our devices. Can we actually prevent an attack? Under the right circumstances, yes.
Of course we cannot detect every attack before it does anything bad. We have never believed in 100% security, nor do we think any technology can protect an organization from a targeted and persistent attacker. But we certainly can (and need to) leverage some of these new technologies to react faster to these attacks.
In this series we will talk about the tactics needed to detect today’s malware attacks and the kinds of tools & analysis required, then we’ll critically assess the best place to perform that analysis – whether it’s on the endpoints, within the perimeter, or in the ‘cloud’ (whatever that means).
As always, we will evaluate the pros and cons of each alternative with our standard brutal candor. Our goal is to make sure you understand the upside and downside of each approach and location for detecting malware, so you can make an informed decision about the best way to fight malware moving forward.
But before we get going, let’s thank our sponsor for this research project: Palo Alto Networks. We can’t do what we do (and give it away to you folks) without the support of our clients. So stay tuned. We’ll be jumping into this blog series with both feet right after the Christmas holiday.