What Good Is A Snapshot In A Continuously Changing Malware Landscape?

In my last article I wrote that advanced malware and targeted attacks are profoundly changing how we must protect our systems. It’s no longer enough to focus on visibility and blocking at the point of entry in order to protect systems. Attacks today have reached a new level of sophistication and outbreaks are inevitable.

Like the infamous bank robber, Willie Sutton, who disguised himself as a mailman, a maintenance man, even a police officer to gain entry to targeted financial institutions and eluded captors for decades, modern malware can disguise itself as a legitimate application to evade defences. Later, when a breach occurs, you don’t know what you’re looking for. To contain and stop the damage, you need a broader approach to IT security that enables continuous visibility and control. Because once you “see it,” then you can “control it” and “protect it.”

Think for a moment about how today’s air transportation safety procedures have evolved as we’ve become savvier to potential threats. Airport security checkpoints are essential to the process of keeping threats off of our airplanes. However, the addition of air marshals and ongoing training of in-flight personnel to spot suspicious behaviour in the air are also critical to maintaining security. An individual may appear perfectly ‘normal’ and escape notice when passing through initial checkpoints. But behaviours change (i.e., he or she may become increasingly anxious, agitated or angry) as the time approaches to execute an attack.

Now consider today’s malware defences. Technologies like sandboxing share a similar ‘snapshot’ approach to security as airport security gates. It provides a baseline level of protection, but it cannot identify sophisticated malware that appears ‘normal’ in a sandboxed environment – failing to execute or recognising it’s running in a sandbox and modifying its behaviour.

Yet unlike our air transportation safety program that continues to monitor individuals beyond the checkpoint, once a file is deemed ‘clean’ and leaves the sandbox it is no longer visible. At that point, malware has infiltrated the network and the problem shifts from threat prevention to threat removal; without ongoing visibility, an outbreak is inevitable.

To deal with advanced malware and targeted attacks, organisations must expand their approach to the malware problem to address the entire lifecycle of modern threats—from point of entry, through propagation, to post-infection remediation. Obviously, you still need a first line of defence that includes malware detection; the ability to identify files as malware at the point of entry and remediate accordingly is a fundamental first step.

But you also must identify technologies that extend visibility and control through to propagation and post-infection remediation. Let’s take a closer look at these phases of the malware lifecycle and technologies that can help increase protection.

Propagation. Malware that gets through the first checkpoint will change its behaviour, perhaps immediately but perhaps not for days, weeks or even months. You need solutions that will continuously monitor files and identify and analyse suspicious changes in behaviour, automatically cross-checking against other pieces of contextual information such as bandwidth usage, time of day and file movement for greater intelligence. Continuous file visibility and analysis is critical to understand how to contain outbreaks and block future attacks.

Post-infection Remediation. Once you’ve identified suspicious behaviour, you need solutions that can automatically evaluate the file against the latest threat intelligence and retrospectively alert you to malware. You can’t afford system performance delays so technologies that can leverage the cloud to analyse individual files without a full system scan will save computational cost.

Next you need to understand the scope of the breach—what was the file’s trajectory? Gaining visibility into which systems the file has touched and if it has been executed gives you actionable intelligence to contain the outbreak. Armed with this insight you can quickly take steps to remediate—quarantining files previously thought to be safe but now deemed to be malware and performing clean-up.

Malware detection is a critical component to any defence strategy, but it isn’t fail-safe. Without continuous file analysis and retrospective alerting you’ll remain in the dark until your systems begin to significantly falter. When an attack does become evident you’ll be challenged to know how to contain and stop the damage.

Leon is a field product manager for Sourcefire. Prior to joining Sourcefire, Leon was involved in the design and development of open source (OSS) Intrusion Prevention Systems. Leon applies his strong background in UNIX security and protocol analysis to overcome the challenges of network security monitoring in the enterprise, specifically in the areas of network intrusion detection, threat mitigation, event analysis and vulnerability assessment. In the little spare time Leon finds, he is the lead contributor to the open source network traffic forensics project OpenFPC (Open Full Packet Capture).