Our Effectiveness at Controlling Modern Malware will be Tied to our Ability to Adapt and Extend our Security Methodologies
Modern malware and advanced attacks are obviously very real and serious threats today. The serial breaches of 2011 provide ample proof of that. However, as often happens when confronting a new challenge, myth and misinformation can creep in the conversation and can make the problem seem insurmountable.
This misconception is something I’ve seen more and more in IT circles where advanced malware and attacks are increasingly thought of as undetectable, indestructible boogeymen, against which resistance is futile. People are led to believe that the malware attacks are IT ninjas that can infiltrate without detection and vanish in a puff of smoke. They have built malware up to be Keyser Soze.
While there is no doubt that modern malware are highly evasive and skilled at avoiding detection, if we give these threats too much credit we risk turning our problems into unsolvable myths, and in the process miss the chance to stop them.
For an example of a real threat that becomes larger than life, we only need to look at the advanced persistent threat (APT). APTs are a real threat, but in some organizations they have become the ever-present scapegoat for almost any security breach. “Someone broke into the network? Well it was an APT, there was nothing we could have done.” Beyond providing a convenient excuse, this sort of attitude can lead to passivity and missed opportunities to spot threats. I’ve come across more than a few examples where IT teams assumed their situation was hopeless when there were actually plenty of things they could do immediately or could do with minor changes to their security policies. Here are a few examples.
One common problem is getting overly caught up chasing the latest threat in the news as opposed to building a repeatable process to protect the organization. A case in point, when the TDL-4 botnet was originally announced, security researchers wrote extensively about it and it received plenty of coverage after it was deemed “indestructible” due to the way it used a peer-to-peer network to survive even if its command and control servers were taken offline. This was a perfectly reasonable and interesting piece of security news. The problem is that I kept running into security staff that assumed that indestructible meant they couldn’t do anything about it, when in reality almost all of the recommended techniques for controlling botnets apply to TDL-4 as well.
TDL-4 was largely distributed by drive-by-downloads from users visiting compromised sites. These infections can be severely curtailed by implementing drive-by-download protections, which look within all types of applications for unexpected file downloads. You can decrypt traffic from dangerous sites to ensure that TDL-4 can be seen. You can block proprietarily encrypted traffic coming out of the network, which TDL-4 uses for its command and control. You can alert and block if you see unknown proxy servers or proxied traffic popping up on your network, which is another step TDL-4 uses to cover its tracks. And of course, you can detect TDL-4 both as an infecting file and based on its command and control traffic. Everything that made TDL-4 “indestructible” really had nothing to do with enterprise network security, so while TDL-4 may be difficult for authorities to dismantle, in terms of IT security it can be managed just like other modern botnet. The key point for IT is to learn the things to look for and that you can then build an ongoing policy and process that detects and enforces appropriate controls.
Another common misunderstanding stems from the challenges posed by targeted and customized malware. As a quick summary, the issue revolves around the fact that traditional anti-malware solutions are based on signatures. This means that for these solutions to work, they have to have been previously seen and analyzed (i.e. a signature must know what its looking for). Malware that is customized for the target or polymorphic (meaning they intentionally evolve over time) will be able to avoid traditional solutions because the file is essentially new and will have no signature. This has led some to wonder aloud if these signature-based approaches are now obsolete. The short answer is no.
Today, and even into the future, the majority of both exploits and malware will continue to be known. Hackers will leverage a given vulnerability for as long as possible. Plenty of very well-known malware continues to spread and thrive in the wild. In terms of volume, known threats still represent the fat part of the bell curve.
With that said, targeted and unknown malware is a real problem. But instead of abandoning our existing security techniques, we should look at how to supplement them to account for threats that we may never have seen before. This is being done today through visiting an old IT security friend – the sandbox. The main problem with controlling these types of malware is that the first place it will ever show up is actually in your live network. There is no past history to draw upon. This is where the sandbox comes in. A sandbox provides a controlled environment where files can execute and be observed for malicious behavior. With sandboxing technology we can identify modern malware based on behavior and not signature.
This doesn’t mean that signatures are dead. We still have to enforce security once we find that a particular file is malicious. Sandbox analysis takes time, while signatures are fast. So here we can get the best of both worlds by using the sandbox to find threats and create signatures that can then be enforced at line speed.
Now, many of you may be scratching your head wondering, “well what good does a signature do if I’ve already let the file through on the first pass?” The answer is two-fold. Not only do we want to protect against the infecting file showing up again, but we also need to quarantine any active infections. Here, again, the sandbox comes in very handy. In addition to detecting malicious behavior, we can also analyze the traffic that the malware generates. This allows us to create traffic signatures that we can use to update our IPS and URL filtering solutions that can stop the threat from communicating while IT has time to clean the infected boxes.
So while modern malware certainly presents a stark adversary, the key is to make sure we give our adversary the respect they deserve, but not too much. Secondly, we should be looking to integrate our security measures to work together, and not simply searching for the next silver bullet. Modern threat prevention will need the strengths of all layers of defense, including application controls, user controls, IPS, anti-malware, and URL filtering to name a few. Our effectiveness at controlling modern malware will be tied to our ability to adapt and extend our security methodologies to an ever-changing environment.
Read More of Wade’s Columns here.