The phrase ‘know your enemy as well as you know yourself’ is often quoted in IT security. But with the sheer number and complexity of cyber attacks, getting to know the enemy is a huge task. Adversaries line up daily, using a bewildering array of malware threats to try to disrupt operations or stealthily siphon confidential data.And organisations remain vulnerable to zero-day attacks given the volume of new malwarethat can hide in plain sight in innocuous-looking files. So, although we may not know everything about everyenemy, new security technology can reveal vital intelligence that can be used to identify and nullify new risks that arise every day.
Cybercrime has become big business, and as in any other business sector, criminals want to boost revenues and grow market share. To increase the likelihood of success,they target hundreds, even thousands of companies. In 2012 an average of 70,000 to 100,000 new malware samples were created and distributed daily – over 10 times more per day than in 2011 and over 100 times more than in 2006. Check Point’s 2013 Security Report found that 63% of organizations were infected with bots, and more than half were being infected with new malware at least once a day. Keeping pace with this massive growth is proving impossible for conventional anti-malware approaches.
Hiding in plain sight
Stealthy malware, the attack technique most commonly used, is difficult to detect and is designed to operate below the radar of IT teams. The code for a majority of these new malware types is concealed in common file formats that we all use for business – emails and their attachments, including Word documents, PDFs, Excel spreadsheets and so on. Hacker toolkits can obscure these executable scripts in order to disguise their malicious actions,which may mean changing the registry on a user’s computer or downloading an executable file which can then infect the network.
Even though layered defences using IPS and IDS can help to block some malware actions, these approaches do not stop infections from reaching the network and spreading across it. New exploits, or even variants of known exploits, have no existing signatures that conventional defences can detect.While antivirus, anti-spyware and similar security solutions are useful for ‘clean-up duty’ in the aftermath of an attack, they are often ineffective as a defence against new attacks.
However, just as a country’s border controls will use a range of techniques to observe people entering the country to identify those who pose a threat, new security techniques have made it possible to scrutinise the emails, files and data that enter a network via emails or as web downloads, in real time. Malicious files can then be isolated on the gateway at the network edge,or in the cloud according to the organisation’s choice, so that infection does not occurin the first place – providing an external layer of protection against attacks, without impacting the flow of business.
Scanning for malware
This isolation and evaluation process is done using a technique called threat emulation. Rather like a border control’s X-ray scanners, the technique makes it possible to look inside suspect files arriving at the gateway – either as email attachments or as downloads from the web – and to inspect their contents in a quarantined area known as a ‘sandbox.’This self-contained, virtualized version of a computer environment acts as a safe area for running various applications that may be risky or destructive.
In the sandbox’s virtual environment, the file is opened and monitored for any unusual behavior in real time, such as attempts to make abnormal registry changes or network connections. If the file’s behavior is found to be suspicious or malicious, it is blocked and quarantined,preventing any possible infection before it can reach the network and cause damage. At this point, further actions can be taken to identify and classify the new threat in order to make subsequent identification easier.
Let’s take a closer look at how threat emulation identifies new types of malware and attacks that do not have signatures, and how it can help to stop these new, stealthy attacks.
Building the sandbox
The threat emulation engine and sandbox is run by a hypervisor, which in turn runsmultiple simultaneous environments for file simulation: Windows XP, 7, and 8; Office 2003, 2007, and 2010; and Adobe 9 environments, plus virtualized instances of the most commonlyused Office applications such as Word, Excel, PowerPoint and others. As the overwhelming majority of modern malware uses social engineering to trick users into clicking plausible-looking attachments or file downloads, inspecting files that use these popular environments and applications offers the best chance of preventing infections.
Selecting files that are deemed suspicious and needing inspection – i.e., the route into the sandbox – happens inline, either at the organisation’s security gateways or in the cloud, using an agent alongside the organisation’s mail server. File selection can even be done with encrypted traffic delivered into the organization over SSL and TLS tunnels, which would otherwise bypass many industry standard security implementations.
The selection process is done using a combination of heuristics and other analysis methods. For example, if instances of the same file havealready been cached at the gateway or by the email agent, the system considers that the filemay be part of a mass phishing attempt to multiple employees. This approach optimises and accelerates analysis by choosing only suspicious files for deeper inspection. When files are selected, they are then uploaded to the sandbox containing the emulation engine, which runs either on the security gateway or in the cloud.
Threat detection
Files uploaded to the threat emulation engine are copied and launched in the multiple virtual OS and application environments. They are then subjected to a five-stage inspection process by the engine:
1. If the file crashes the virtualized instance of the program, or attempts to unpack and substitute a different document, it is flagged as malicious. Also, if the file attempts to call .dll or .exe files, this signals abnormal, potentially malicious behavior.
2. The virtual registry is checked for any attempted changes by the file – a hallmark of malware and an action that an ordinary document should never attempt.
3. File systems and processes are checked for any attempted changes made by the file – as noted above, an ordinary document should not attempt to make changes
4. The engine checks for any attempts to communicate via the web – for example, to contact a command and control centre or download a malicious payload.
5. Finally, the engine logsand generates a report on all activity done by the file, including multiple screenshots of the sandbox environment – and also creates a ‘fingerprint’ for the file that can be used to quickly identify subsequent detections.
Malicious files detected by the engine are quarantined so that they do not reach the user and cannot infect the trusted network. Even malware code that has been developed to detect when it is being executed within a virtualized environment is not immune to sandbox technology. This malware attempts to camouflage its actions or act in a benign way while in the environment in order to avoid detection. However, the ‘cloaking’ activity actually helps to identify the file’s malicious intent in that the attempt at disguise can be monitored by the threat emulation engine and logged as a suspicious file activity.
This entire process takes place transparently for the majority of files – meaning that even in the rare event that a file is inspected and proven ‘clean’, the intended recipient of the file will not notice any pause in email services. Information about detected file activity is then available to the IT team in a detailed threat report.
Sharing threat information globally
What if, following detection and blocking of a file by emulation, organisations were able to share information about the new threatto help others avoid infection too? After all, the new threat has been fingerprinted and a signature developed for it, meaning that wider infections can be prevented.
This is the principle behind Check Point’s ThreatCloud service, which helps to spread the knowledge acquired about a new enemy. In much the same way that global health organisations collaborate to fight emerging diseases and develop vaccines and other treatments, ThreatCloud’s collaborative approach closes the time window between the discovery of a new attack and the ability to defend against it. Once a new threat has been fingerprinted, details of it (including key descriptors such as the IP address, URL or DNS) are uploaded to ThreatCloud and automatically shared with subscribers worldwide. For example, if a new threat is being used as a targeted attack on a bank in Hong Kong and is identified by threat emulation, the new signature can be applied to gateways globally in minutes. By vaccinating organisations against the attack before the infection can spread, threat emulation reduces the chances of an outbreak becoming an epidemic, improving security for all.
So, even with cybercriminals targeting hundreds or thousands of companies, threat emulationcan play a key role in protecting organisations against new malware strains and zero-day attacks. Using threat emulation to ‘know your enemy’ could become one of the strongest methods for securing organisations’ networks, creating a new first line of defense against malware.