Connect with us

Hi, what are you looking for?


Malware & Threats

What Good is a Snapshot in a Continuously Changing Malware Landscape?

When Dealing With Advanced Malware and Targeted Attacks, Enterprises Must Expand Their Approach To Address the Entire Lifecycle of Modern Threats

When Dealing With Advanced Malware and Targeted Attacks, Enterprises Must Expand Their Approach To Address the Entire Lifecycle of Modern Threats

In my previous column, I wrote that advanced malware and targeted attacks are profoundly changing how we need to protect our systems. It’s no longer enough to focus on visibility and blocking at the point of entry in order to protect systems.

Malware Detection and Remediation ProcessAttacks today have reached a new level of sophistication and outbreaks are inevitable. Like the infamous bank robber, Willie Sutton, who disguised himself as a mailman, a maintenance man, even a police officer to gain entry to targeted financial institutions and eluded captors for decades, modern malware can disguise itself as a legitimate application to evade defenses. Later, when a breach occurs, you don’t know what you’re looking for. To contain and stop the damage, you need a broader approach to IT security that enables continuous visibility and control. Because once you “see it,” then you can “control it” and “protect it.”

Think for a moment about how today’s air transportation safety procedures have evolved as we’ve become savvier to potential threats. Airport security checkpoints are essential to the process of keeping threats off of our airplanes. However, the addition of federal air marshals and ongoing training of in-flight personnel to spot suspicious behavior in the air are also critical to maintaining security. An individual may appear perfectly ‘normal’ and escape notice when passing through initial checkpoints. But behaviors change (i.e., he or she may become increasingly anxious, agitated or angry) as the time approaches to execute an attack.

Now consider today’s malware defenses. Technologies like sandboxing share a similar ‘snapshot’ approach to security as airport security gates. It provides a baseline level of protection, but it cannot identify sophisticated malware that appears ‘normal’ in a sandboxed environment – failing to execute or recognizing it’s running in a sandbox and modifying its behavior. Yet unlike our air transportation safety program that continues to monitor individuals beyond the checkpoint, once a file is deemed ‘clean’ and leaves the sandbox it is no longer visible. At that point, malware has infiltrated the network and the problem shifts from threat prevention to threat removal; without ongoing visibility, an outbreak is inevitable.

To deal with advanced malware and targeted attacks, organizations must expand their approach to the malware problem to address the entire lifecycle of modern threats—from point of entry, through propagation, to post-infection remediation. Obviously, you still need a first line of defense that includes malware detection; the ability to identify files as malware at the point of entry and remediate accordingly is a fundamental first step. But you also must identify technologies that extend visibility and control through to propagation and post-infection remediation. Let’s take a closer look at these phases of the malware lifecycle and technologies that can help increase protection.


Malware that gets through the first checkpoint will change its behavior, perhaps immediately but perhaps not for days, weeks or even months. You need solutions that will continuously monitor files and identify and analyze suspicious changes in behavior, automatically cross-checking against other pieces of contextual information such as bandwidth usage, time of day and file movement for greater intelligence. Continuous file visibility and analysis is critical to understand how to contain outbreaks and block future attacks.

Advertisement. Scroll to continue reading.

Post-infection Remediation

Once you’ve identified suspicious behavior, you need solutions that can automatically evaluate the file against the latest threat intelligence and retrospectively alert you to malware. You can’t afford system performance delays so technologies that can leverage the cloud to analyze individual files without a full system scan will save computational cost. Next you need to understand the scope of the breach—what was the file’s trajectory? Gaining visibility into which systems the file has touched and if it has been executed gives you actionable intelligence to contain the outbreak. Armed with this insight you can quickly take steps to remediate—quarantining files previously thought to be safe but now deemed to be malware and performing clean-up.

Malware detection is a critical component to any defense strategy, but it isn’t fail-safe. Without continuous file analysis and retrospective alerting you’ll remain in the dark until your systems begin to significantly falter. When an attack does become evident you’ll be challenged to know how to contain and stop the damage.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...