5 principles to modern malware protection

Whether attackers use viruses, Trojans, bots, or rootkits, modern malware is designed for the long term control of compromised machines. So, modern malware often features offensive tactics to disrupt client based security, like re-writing the Windows HOSTS file to disrupt antivirus signature and patch updates, or by resetting Microsoft security updates to manual.

Modern malware also establishes outbound communications across several different protocols to upload stolen data and to download instructions and further malware payloads for other reconnaissance and malicious purposes.

As criminals became aware of the value of information being placed online, they quickly got involved in developing modern malware for profit. It should be no surprise that the rise in cybercrime has coincided with the increased use of the internet and especially Web 2.0 technologies.

Law enforcement, computer crime experts, and the military are now playing catch up to the threat posed to consumers, businesses and national security as cybercriminals cash in on stolen identity data, fraudulent online transactions, and cyber espionage. It is clear that criminals with profit motives or political agendas are the main cause for the explosion of modern malware as we know it.

Cybercriminals have developed modern malware to bypass outdated security techniques, such as signatures, leaving businesses and consumers vulnerable to attack.

Signature-based technologies like IPS and antivirus software, both within perimeter and endpoint solutions, are increasingly ineffective against the rapidly evolving, blended threat of modern malware, as is evidenced by the continued and successful intrusions into commercial, federal and educational networks.

At the same time, more and more businesses and consumers are storing data on the network, or ‘in the cloud,’ and conducting transactions through the internet, making cybercrime more attractive.

Understanding the modern malware infection lifecycle

Modern malware attacks can no longer be seen as a single incident consisting of exploit, infection and remediation stages. Today’s attacks are coordinated efforts to penetrate an organisation’s defences and establish a foothold for the purposes of reconnaissance, network asset exploitation, data exfiltration, data alteration, data destruction, and/or establishing ongoing surveillance.

A new approach to understanding modern malware attacks is to see it as an infection lifecycle in which the initial exploit or social engineering attack leads directly to a series of follow-on malware infections that persist despite repeated attempts to scan and disable the attack.

As modern malware has become more sophisticated, conventional client-based antivirus scans and network-based intrusion scans no longer are able to disrupt and stop these coordinated sets of infections and attacks. While some infections are detected and removed by scans, the criminal maintains control over the system using the other, often zero-day, malware components that were not removed to re install removed malware and disrupt endpoint security to prevent future removal.

Breaking the infection lifecycle

Given the serious consequences and ineffectiveness of current solutions, FireEye is publishing and sharing its five key design principles to designing an effective network based defence to break the modern malware infection lifecycle. Solutions should be held up to these criteria as part of any investment decision involving modern malware defences. The five key principles are:

1. Dynamic defences to stop targeted, zero-hour attacks
2. Real-time protection to block data exfiltration attempts
3. Integrated inbound and outbound filtering across protocols
4. Accurate, low false positive rates
5. Global intelligence on advanced threats to protect the local network

Dynamic defences to stop targeted, zero-hour attacks

To be effective, anti-malware solutions need to be intelligent enough to analyse network traffic and processes, rather than just comparing bits of code to signatures. Modern malware has been developed with conventional defences in mind to maximise its chances to successfully exploit an end user system.

A dynamic analysis capability, as opposed to static signature- based comparisons, are critical to enable a product to detect and stop polymorphic malware on the wire as well as malware hosted on dynamic, fast-changing domains.

In order to address these modern threats, a real-time, dynamic, and accurate analysis capability is critical. Rather than relying on signatures and lists, we must be able to dynamically recognise new attacks in real time, without requiring a priori knowledge of vulnerability, exploit or variant, and then prevent system compromise and data theft.

Real-time protection to block data exfiltration attempts

To protect the network, real-time analysis and blocking are essential to stopping data exfiltration that can take place within minutes, if not seconds, of the zero-hour infection.

It is important to be able to dynamically analyse network traffic to capture and detect zero-hour malware, but equally important to provide real-time capabilities to stop the outbound call-back communications to disrupt the malware infection lifecycle.

Integrated inbound and outbound filtering across protocols

Modern threats are comprised of attacks on multiple fronts, exploiting the inability of conventional network protection mechanisms to provide a unified defence; as soon as one vulnerability is defended, network attacks quickly shift to another.

It is now possible to have both inbound attack detection and outbound malware transmission filtering all in an appliance form factor providing administrators with a clientless solution that is easy to deploy and maintain.

So, it is critical to provide thorough coverage across the many vectors that are used in attacks and that can keep pace with the dynamic nature of modern attacks. Defending corporate networks from modern malware threats requires new protections that function across many protocols and throughout the protocol stack, including the network layer, operating systems and applications.

Accurate, low false positive rates

Other technologies, whether heuristic or behavioural analyses, are touted as an encouraging development, but in practice they are too inaccurate or computer intensive to function as standalone, real-time security mechanisms.

This methodology often augments an anti-malware solution’s signature protections, but at the same time increases the likelihood of false positive alerts. The sheer volume and escalating danger of modern attacks are overwhelming limited IT resources and outmanoeuvring conventional defences.

Global intelligence on advanced threats to protect the local network

To maximise pre-emptive protection against a dynamic cyber threat, it is important to have a global network to provide the latest intelligence on malware threats and zero-hour attacks. Real-time malware intelligence to protect the local network against zero-day malware and advanced persistent threats can stop outbound call-backs that threaten to exfiltrate sensitive data.

By building an intelligence sharing network with customers, technology partner networks and service providers around the world, it would be possible to share and efficiently distribute the malware security intelligence to essentially serve as an internet cybercrime watch system and stop both inbound attacks and unauthorised outbound call-backs to prevent data exfiltration, alteration and destruction.

Ashar Aziz founded FireEye in 2004 and leads both the technical and business strategy of FireEye as CTO and CEO. Ashar has received over 20 patents in the areas of networking, cryptography, network security and data center virtualisation for work done prior to FireEye. Prior to FireEye, Ashar founded Terraspring, a company focused on datacenter automation and virtualisation. Terraspring was successfully acquired by Sun Microsystems in 2002, where Ashar then served as CTO of the company's N1 program. Before Terraspring, Ashar spent 12 years at Sun as a distinguished engineer focused on networking and network security. Ashar holds an S.B. (Scientiae Baccalaureus) in Electrical Engineering & Computer Science (EECS) from the Massachusetts Institute of Technology (MIT) and an M.S. in Computer Science from the University of California, Berkeley.