Security Experts:

Modern Malware and the Balance Between IDS and IPS

When Defending Against Today's Threats, It's Important To Know If a Particular Security Solution Is Ready For The Front Llines of The Network.

Information security is a job that requires the ability to recognize change and adapt, whether that be adapting to changing threats, regulatory and business requirements or advances in information technology itself. Yet, the flipside of that coin is that often our latest, insoluble challenge is simply a new instance of a problem we have already confronted before. This seems particularly true in the case of threat prevention today, where in many ways we are seeing the industry revert from a threat prevention strategy to a threat detection strategy when dealing with modern malware and advanced persistent threats (APTs).

Network Security AppliancesToday, the threats are new, the solutions are new, and it often feels like the best that a security team can hope for is to simply identify that an attack has occurred and begin remediation. Of course, many in IT security have seen this dynamic before in the evolution of IDS (intrusion detection) to IPS (intrusion prevention).

In the early days of threat prevention, intrusion detection was all that was possible. The detection of exploits required a deeper analysis than the industry had performed in the past, which meant it was often too slow to be placed in line where prevention could occur. Secondly, false positives were common, so security teams were reluctant to block a threat without doing some investigation first. Of course, over time these solutions matured to be faster and more accurate to the point that the vast majority of enterprises use an IPS or prevention approach today.

The benefits to prevention are pretty obvious. Threats are blocked before they ever reach the target, and the systems are automated so that staff doesn’t have to manually investigate each event. In short, with prevention, we get better protection while requiring less human intervention.

In the fight against malware and APTs, we are in large part being forced to regress to the threat detection phase of the game, where many security teams are only able to detect when they are hit and can do very little about it. It is critical that when we regress from prevention to detection that we understand why, and how we can respond. For instance, what is the path for returning to an automated approach of threat prevention? Is it even possible? How do we get there from here and what can we do in the mean time? These are the important questions that we need to answer if we are going to actually make use of the lessons that we learned in the past, instead of simply reliving them in our present.

Understand the Problem: Not All Advanced Threats are Created Equal

We have to know what we are up against if we are going to make good threat prevention decisions and too often we paint new or emerging threats with an overly broad brush. This is very true of modern (or advanced) malware and a variety of other threats that are designed to stay ahead of traditional signatures.

APTs and targeted attacks get far and away the most publicity, both in the news and from security vendors. These are the truly targeted attacks where your network is the specific and only target of the threat, and in some cases all of the components of the attack (malware, exploits, remote servers are all custom-built for the attack on your network). These are the attacks where signatures lose their bite, and we have to rely on what we can directly observe ourselves instead of what someone has told us about the threat. An example would be taking an unknown or suspicious binary and executing it in a safe sandbox where we can observe any malicious behaviors firsthand. This is a great way to detect malware that doesn’t match any known signatures, but it is also a technique that will never be done in real time.

When a user opens a webpage, images and content are immediately rendered in the browser, and in almost all cases it’s unreasonable to ask that user to wait for a few minutes while we perform behavioral analysis on all of that content. So even in today’s most advanced security solutions, that initial file is still delivered to the target user, but security is at least able to identify that something bad happened and begin cleaning up. This is why most all advanced security products have returned to threat detection as opposed to prevention, and it is an important reality – the first use of truly unknown or targeted malware will often get through to its target.

The good news is that the vast majority of malware is not truly custom-built for only your network. The overwhelming majority of malware is polymorphic or repackaged malware. This malware isn’t really new; it’s just in a new disguise in order to get by security. The short version of the story is that malware authors know that it will take a few days (at least) for antivirus vendors to capture new malware variants, write new signatures and deliver those signatures to end users. This means that attackers can modify their malware as little as once every few days and still reliably beat the AV vendors to the punch. This approach is massively popular with all types of malware including large, ongoing malware campaigns such as botnets.

In these cases, signatures can still be very powerful. First, behavioral analysis of a sample can begin as soon as the first file is encountered on your network. Within minutes of encountering sample-0, you can identify it as malicious and shortly thereafter begin blocking the file from hitting other users with a newly created signature. That means if you could be looking at 1 infected user to clean up as opposed to hundreds. Even better if your security vendor shares signatures, you can receive protection for new daily malware samples before they ever reach your network. This shrinking of the time to protection can enable your organization to get back on sure footing when dealing with daily malware outbreaks.

Context is Key

The second key point is that while the appearance of the malware may change due to encoding, obfuscation or polymorphism, the behavior stays very much the same. So even in truly polymorphic cases where the infecting file is new every time it is delivered, you can still build signatures based on where the file is being delivered from, how it communicates to the outside world or any evasion tricks it may employ, just to name a few. These signatures require a bit more intelligence than simply matching a binary, but they are very powerful for controlling malware even when the infecting file itself is not recognized.

This means that context is key if security is going to provide the best possible amount of prevention. It’s not enough to simply know the malware, you need to know URLs, DNS behaviors, application behaviors, evasion and obfuscation tactics and command-and-control techniques. You will also need to be able to see and track anomalies in your network and easily correlate them to specific machines or users. You will also need to quickly track users who may be infected. If you haven’t already, you will need to begin segmenting and monitoring your internal network traffic in order to see where the malware tries to spread or any ongoing hacking activities it may perform inside the network.

The key point to remember here is that modern threat prevention solutions cannot be a silo of information unto itself. This goes beyond answering the question, “can the system send syslogs of events?” but really answer the question of can it use multiple types of correlated data to make real-time enforcement decisions.

Network Chops Are a Must

Network Security SolutionsTo protect your assets and users you have to get between them and the threats, and this means deploying security solutions in line. This is true of network firewalls, IPS solutions and a variety of network gateways. It’s important to remember that these solutions are typically judged not only by the quality of their ability to detect and block, but also the performance impact they have on the network in terms of throughput and latency. This is a critical point to remember when looking at more advanced threat prevention technologies, because there is a big difference between interesting technology that can be used in a lab as opposed to a technology that you can deploy in a production network that can potentially impact the network experience of every user and application in the enterprise.

As a result, when thinking about preventing modern threats, we have to take a very serious look at whether or not a particular solution is ready for the front lines of the network. We have to answer the stodgy but critical questions around throughput, latency, routing and high-availability. This is particularly true in the case of solutions that are designed to block malware.

Network-based antimalware solutions will often proxy a file and historically have been far to slow to be deployed in-line. Newer solutions have incorporated stream-based malware prevention that can provide malware enforcement while maintaining performance at levels that you would expect from an IPS. This is an important distinction that we have to be aware of. Just because a solution can block a threat doesn’t mean that it can block the threat without disrupting the performance of the network. It would obviously be more than a little disappointing to see the security solution that you have standardized on for modern malware protection get shot down by the network operations team because it injects too much latency and breaks important applications. So always remember, when we are talking about threat prevention, we are talking about networking, and a prospect solution is going to have to be great in both areas.

Learn from the Past, Live in the Present

These are just a few things we need to keep in mind as we look at new security technologies, and it’s important that we make use of the lessons we have learned in the past. Security will ultimately boil down to enforcement, even if we initially begin with detection. As a result, it’s important that when we perform our due diligence and evaluate these new technologies that we do so with the end goal in mind. Even if you aren’t ready to do prevention today, you will very soon, so make sure that your solutions are prepared for the challenge.

Subscribe to the SecurityWeek Email Briefing
view counter
Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.
view counter