Given the endless game of whack-a-mole that is IT malware security, it makes sense that, as anti-virus effectiveness waned, malware analysis software vendors moved to network-level prevention. The idea: We won’t need to scramble to keep malware attack off endpoints if we can block the exploit or malware security at the email server or web gateway.
From network-based anomaly detection to advanced sandboxing, these tools flooded the market and worked great — for a while. As they always do, attackers adjusted, adding new techniques, such as encryption and fast-flux DNS. It is an arms race, after all. Some malware attackers started to obscure their exploits, hiding in plain sight by blending with innocuous network traffic. Others simply stopped aiming at the network. No network traffic means no results from network detection tools.effectiveness waned, malware security software vendors moved to network-level prevention. The idea: We won’t need to scramble to keep malware off endpoints if we can block the exploit or malware security at the email server or web gateway.
Malware Analysis Procedure
Where did attackers shift their efforts, if not the network? The endpoint, where security technologies haven’t evolved in years and corporate data is usually ripe for the picking.
What do we mean by endpoint? Any device sitting at the “end of the network,” that any user interacts with, that is of interest to an attacker, and that runs an operating system. Endpoints include workstations, servers, mobile devices, and also those devices that power oil valves, nuclear power plants, and any other networked device on the Internet of Things. That’s right, your Nest home thermostat is an endpoint, too. The definition is broad and expansive by design.
We’ll focus our discussion on Windows, Linux, and Apple workstations and servers; those are the endpoints that enterprise IT security teams most commonly deal with when investigating incidents. But keep thinking abstractly — advanced threats such as Stuxnet illustrate that severe risk comes in many different shapes and sizes based on your type of business. While it may seem reasonable that you need radically different security controls on a mobile device versus a sensor running Linux that controls flow on a gas pipeline, the reality is, you don’t. In short, it’s not mobile security, it’s just security, and the types of controls needed for smartphones are really the same as those for workstations and other devices. Ultimately, they’re all endpoints.
In addition, let’s make it clear: We aren’t saying AV and network-based prevention tools are worthless for endpoint security. They are very effective for certain types of threats — known ones that are easily detectable. Most antivirus and other prevention products work using signatures — a comparison of static strings or bytes. Today’s antivirus tools contain millions of signatures, yet it takes only a few milliseconds to scan a binary. Speed of detection with minimal performance impact is the goal, not quality of detection.
The issue with signature technology, both endpoint- and network-based, is the pace at which these tools are updated with new signatures. It’s always too slow compared with the speed at which attackers can modify their tools, and it always will be, even with “real-time cloud-based” updates.
You might assume that if there is no signature, these must be highly targeted, advanced, sophisticated attacks, right? Actually, most of the time they are not. In February, SANS issued its first endpoint security survey specifically because of the issues we outlined above. The results were definitely eye-opening. In its report, “The Case for Endpoint Visibility,” the data shows “advanced persistent threats” aren’t the most common risk. Of more than 900 respondents, 52% said that 20% or less of the successful attacks — those that actually did bypass their prevention technologies — used advanced stealth techniques. In other words, enterprise IT security teams have built their incident response, breach notification, and forensic processes to deal with the elusive 20% (that 80/20 rule strikes again) rather than how attackers are actually succeeding, day in and day out.
About that 80%. Attacker dwell time — the time between when an attacker compromises a system and when the intrusion is detected — continues to rise, according to the 2014 Verizon Data Breach report. The longer an malware attack goes undetected, the more likely logs and data will be overwritten, deleted, or destroyed. By the time you’re underfunded and understaffed team gets around to the threats it should be dealing with, attackers are long gone with your data, and they even had time to hide their tracks on both the compromised endpoint and the network.
The answer is aggressively and creatively shaking up your strategy to account for the true makeup and volume of malware attack. The keys: automation to cope with volume, combined with excellence in incident response, revamped processes, and some new tools.