While organisations have had decades to understand how traditional malware prevention tools operate, so have adversaries. As a result, malware authors have become very skilled at designing malware that can mask itself and evade detection. When the success rate of a specific type of malware declines, attackers create new variants. Their approach is dynamic and changes at a pace that static point-in-time tools can’t keep up with. To build solutions that can overcome such dynamic adversaries, we have to understand how these attacks work and what evasion techniques are making them successful.
Some of today’s more sophisticated evasion techniques include:
This technique looks for signs that the malware is being run within a virtual machine or sandbox environment, and changes its behaviour to evade analysis. This includes delay tactics where files wait until they are scanned to execute malicious behaviour. Another tactic requires user interaction; the files wait until after a certain number of mouse clicks, mouse movements, or the launching of a specific program by the end user to exhibit malicious behaviour.
Lure documents are technically benign, but often hold enticing URLs linking to documents with malicious macros or embedded malware. An end user typically receives these documents through highly convincing, targeted phishing emails.
Domain Generation Algorithms (DGAs)
To keep malware fresh and effective, adversaries use algorithms to create a variety of domain names that conceal their traffic and evade detection. The goal is to generate so many domain names that it becomes impossible to block all of them. DGAs have typically been short-lived, but the average life span has expanded significantly—up to about 40 days.
This type of malware runs completely in memory without writing any artefacts to the file system or registry. That is, unless the attacker wants to put persistent mechanisms in place, such as storing a command to re-infect a victim in a registry. The command is automatically executed when a system is booted. Fileless malware is harder to detect, and makes forensic investigations and incident response more challenging because permanent system changes are kept to a minimum or avoided altogether.
With this technique, a malware sample can change itself to evade systems looking for specific files or patterns within a file. The malware can accomplish this in a variety of ways, including rearranging where certain parts of the code are stored within itself, encoding or encrypting portions of itself in various ways, or modifying noncritical portions of itself, either by changing certain values, or adding and removing portions.
This is a way for malware creators to install additional, usually unwanted software along with a desired piece of software. While the ability to bundle software may be legitimate and intentional on the part of the software authors, malicious actors can deliver their malware to users through what is known as a supply chain attack. In this scenario, attackers gain control of a portion of the legitimate software’s development or release process, which allows them to bundle their malicious code within it, unbeknownst to the software’s authors and users.
How the industry responds
As soon as the industry discovers a new threat type or evasion technique, it sees an opportunity to promote a shiny new product. The product works for a while, until the next new threat pops up and creates the need for yet another tool. As a result, organisations have fallen into the cycle of implementing products that focus completely on the latest method of protection instead of investing in comprehensive solutions. Fast forward a few years: organisations are finding themselves drowning in endpoint security tools that don’t speak to one another, require management by a large number of skilled IT personnel who can be hard find, and demand ever-increasing funding that can be even harder to come by.
What’s needed: a complete transformation
So how can organisations get out of this cycle and start defending themselves from advanced threats more effectively and efficiently?
What’s needed is a truly transformational change in how we detect malicious activity. Defenders need integrated solutions that go beyond the limitations of traditional point-in-time technologies. They need the next-generation of endpoint security. Next-Generation Endpoint Security (NGES) is essentially the convergence of multiple technologies providing protection, detection, and response capabilities in an integrated solution. In this model, detection and response are no longer separate disciplines or processes, but extensions of a cohesive, continuous approach. When these components are brought together into one integrated system, organisations start to experience greater endpoint security efficiency and effectiveness.
Traditional security is reactive. But today’s threats require a much more proactive approach. Our latest eBook, What Attacks Aren’t You Seeing, explores this in greater details. Download it below.