Check Point’s annual security report for 2015 documents the fact that more unknown malware has been found in the past two years than in the previous 10 years combined. According to the report, new malware introductions were relatively static in 2010 and 2011, at 18 million per year. However, this almost doubled to 34 million in 2012, rising significantly to 83 million in 2013, and reaching 142 million in 2014. The speed at which this is now occurring is quite staggering: 106 unknown malware deployments hit an organisation every hour.
The rise may be seen as partly attributable to the fact that emerging hackers are taking advantage of much easier methods for adapting and deploying malware. Whilst there are still a number of hackers working at a sophisticated level and developing advanced new threats, many newcomers to the hacking world are realising the quick gains that can be achieved through simple code modifications to pre-existing malicious files. Using modified malware, hackers are able to exploit even the most up-to-date antivirus software. How is this possible and what are the options for organisations looking to better protect themselves?
A summary of threat detection techniques
A fundamental reason why newcomers to hacking are able to bypass traditional antivirus is due to the mode of detection. Most antivirus software uses signature-based detection whereby it responds to the expected behaviours of known malware. Hackers can circumvent this quickly and easily, with little or no coding experience, by making simple modifications to one or two lines within the malicious code. Below is a summary of signature-based threat detection plus recommended advanced threat detection techniques for combating this issue.
Signature-based detection compares suspect code against known malicious signatures. Just a slight change to the malicious source code requires the malware analyst to create a new signature, even if the malware attack profile remains identical. As such, anti-virus software needs to be continually updated to stay in line with the latest definitions. With new definitions reaching 142 million in 2014, this poses an unending task for anti-virus vendors. The significant drawbacks for signature-based threat detection are as follows:
- The inability to cope with malware variations – every tweak to existing malware requires a new definition to be created
- Lack of protection against zero day exploits – if a hacker discovers a specific vulnerability in a system they can create malicious code designed specifically to exploit it. Signature-based detection fails at this point
- A post-infection technique – a sample of the malware is required to create the signature definition, thereby limiting protection to known forms of attack. The malware has to attempt to infect a device before the detection system can take action.
These are significant drawbacks which can be addressed via advanced threat detection techniques, including:
Heuristic detection implements signature-based detection conventions, but rather than scanning for specific strains of malware, heuristics look for similar, more general behavioural characteristics across a malware family. Using machine learning to identify patterns, this less exact matching method has the advantage of being able to detect zero-day exploits. A significant downside to this technique, however, is the high number of false positives detected. Furthermore, heuristic scanning and analysis can be a lengthy process potentially impacting on the performance of the device running the heuristic detection system.
There are numerous approaches to detecting malicious activity via traffic monitoring techniques. These are generally centred on detecting anomalous behaviour, which involves capturing a network traffic component and comparing it to either a baseline of normal behaviour or a formal definition of what normal and abnormal behaviours are. This does not involve the creation of a malware specific signature and, as such, is not prone to the issues associated with signature-based threat detection techniques.
Early versions of sandboxing technology worked by intercepting suspicious files as they arrived at the organisation’s gateway. Any suspicious files were inspected in a virtualised, quarantined area (the sandbox) for any unusual behaviour. If the file’s behaviour was found to be malicious, it would be quarantined to prevent the infection from reaching the network.
While this approach significantly increases malware detection rates, hackers recognised the technology and have responded by implementing further evasion techniques. As such, a next-generation approach is now being introduced: CPU-level sandboxing. This enables a deeper, more insightful look at a suspicious file’s activity. CPU-level sandboxing takes advantage of the fact there are only a handful of exploitation methods than can be used to download and execute malware on a host PC. Because it operates at chip level, below the application or operating system layers, it effectively uncloaks the disguises applied to malware and pre-empts the possibility of hackers evading detection.
With new malware definitions proliferating at a staggering rate, organisations need to be wary of the limitations in regular antivirus software. Signature-based threat detection techniques are no longer a sufficient wall of defence. Advanced threat detection methods must be considered to prevent infected files from successfully breaching your network perimeter.
About the author
Simon Heron is the CTO at Redscan, a managed threat detection and security services company, where he is responsible for developing the overall business and technology strategy and growth.