Corey Nachreiner from WatchGuard Technologies looks at the changing characteristics of an Advanced Persistent Threat and explains why we need a new approach to mitigate the risks
Back in 2003, the SQL Slammer worm hit the headlines by targeting a known vulnerability in the Microsoft SQL database, for which a patch was available six months earlier. It caused havoc by quickly replicating itself and looking for new targets to infect – but it was avoidable if the right measures had been taken.
This caused vendors such as Microsoft, Adobe and Cisco to respond with frequent updates or patches, while Intrusion Prevention Systems (IPS) were developed to look for known patterns of vulnerability exploits and advances in antivirus software started to block and quarantine known malware. Regulations like PCI DSS mandate that companies keep their antivirus software updated to the latest signatures.
But today this is not enough. Zero day is the new battleground, illustrated by recent vulnerabilities detected in Internet Explorer (IE) and Adobe Flash, both exploited in the wild using the same zero day technique. In the case of the Flash media player, attackers run malicious code on a system, simply by enticing users to a website containing specially crafted malicious Flash content.
Learning from science
In the biomedical field, researchers have long understood that microbes and bacteria evolve and become more resistant to antibiotics. They need to develop new and stronger medicines to stay current. The same is true in the information security world. Attackers have got smarter and new breeds of malware constantly emerge that are more advanced and resistant to conventional defences.
Modern malware uses advanced techniques such as encrypted communication channels, kernel-level rootkits and sophisticated evasion capabilities to get past a network’s defences. More importantly, they often leverage zero day vulnerabilities – flaws for which no patch is available and no signature has been written. Modern malware is also designed to stick around and carefully hides its communications and often cleaning up after itself – deleting logs, using strong encryption and only reporting back to its controller in small, obfuscated bursts of communication.
These new strains of advanced malware are often referred to as Advanced Persistent Threats or APTs. Stuxnet and Duqu were two of the first APTs used by nation states for attacking critical government infrastructures, for example. But more recently, popular botnets like Zeus have evolved to emulate APT techniques and used by hackers for financial gain, targeting Fortune 500 companies along with small and medium businesses. Groups of highly-skilled, motivated, and financially backed attackers represent a significant threat because they have very specific targets and goals in mind.
The fight against malicious code is an arms race. Whenever defenders introduce new detection techniques, attackers try to find new ways to bypass them. Traditional antivirus companies detect suspicious activity or behaviour that indicates a virus and write a signature. But this is a losing proposition because it is always catching up.
More recently, sandbox solutions have been used as part of the detection process. Code is run and analysed dynamically in the sandbox without any human review. But malware authors now use evasive techniques to ensure that their programs do not reveal any malicious activity when executed in such an automated analysis environment. Common techniques include checking for the presence of a virtual machine; querying for well-known Windows registry keys that indicate a particular sandbox; or going to sleep for a while until the sandbox times- out.
The most common sandbox implementations rely on a virtual environment that contains the guest operating system. The key problem and the fundamental limitation of modern sandboxes based on virtualisation is their lack of visibility and insight into the execution of a malware program.
The sandbox needs to see as much of the malware behaviour as it possibly can, but it needs to do it in a way that hides itself from the malware. If malware can detect the presence of a sandbox it will alter its behaviour.
A smarter approach is to emulate the operating system that provides a high level of visibility into malware behaviours, but this is still relatively easy for advanced malware to detect and evade. More advanced sandboxes are able to see every single instruction sent to the CPU, which means that the sneaky evasion techniques employed at the instruction-by-instruction level can be detected.
If a file that has never been seen before is spotted, it can be analysed by monitoring the execution of all instructions to spot APT techniques that other sandboxes miss. An advanced malware solution needs to provide email alerts, log and report capabilities and clear indication of why any file has been detected as malware, so it is not dismissed as a potential false positive.
Threats continue to evolve, which means that security solutions need to stay ahead. Antivirus and Intrusion Prevention Services are still a necessary part of any company’s defence but they need to be supplemented with new advanced zero-day detection capabilities.
Cory Nachreiner is director of security strategy at WatchGuard Technologies
For more information on WatchGuard and their products, click here.
For further readings by WatchGuard