Successful targeted attacks bypass security controls and typically cause significant damage to an enterprise. Damages may include reputation, monetary, and intellectual property losses. Many attacks leverage zero-day malware, which are malicious programs that security scanners miss on the day they are used for the first time.
Several approaches are commonly used to combat targeted attacks, with varying degrees of success. In this post, I will briefly explore these approaches and identify the key problems with each. I’ll also discuss new Intel Security technology that approaches the targeted attack problem in a novel way.
Endpoint threat detection and response: This technology hunts for artifacts used in previously reported targeted attacks and by zero-day malware. It gathers those results and “connects the dots” using threat intelligence information and link analysis. Because this approach involves multiple steps carried out manually, the process is dependent on security analysts’ capabilities and the quality of intelligence feeds.
Offline detonation-based advanced threat detection: This approach provides incremental value over antimalware scanning by detecting additional malware samples, some of which could be zero-day threats. The critical weakness in this approach is its sample replication effectiveness rates. Some sophisticated malware can sense when it is running in a virtual “sandbox” environment and evade detection in several ways. Also, some malware requires a runtime environment in the form of third-party DLL or library dependencies that may not be present in a synthetic replication environment. Even when a sample successfully executes, the technology captures its execution trace and abstracts the behavior of the program, which in turn is analyzed and classified by manually authored heuristics rules and signatures. Sophisticated malware can often bypass this approach.
Whitelisting and application containment: This approach allows only known applications to execute. Backed by policy-based gray-list management, this method relies on whitelisting known apps and programs. The immense number of applications makes this impractical. One smart solution to this problem is using policy-based containment in which the unknown app is quarantined until it is determined to be clean through an external classification system or crowdsourced labeling process. Both approaches impose delays and usability challenges.
Signature-based blacklisting: This is the most prevalent approach; it has survived for more than 30 years. Because this method is reactive, it is best suited for and most effective at detecting “garden variety” malware. Antimalware detection survives because it provides an automatic detection-and-response model, irrespective of how much it detects and the value it provides. Blacklisting is least dependent on manual intervention while making a classification decision and remediating a threat. Even though antimalware products close a huge gap in malware detection and response, they provide a handy, publicly available platform for malware authors to test their malware samples prior to attacks.
Let’s summarize the problems with current approaches:
- They increase the cognitive load on security personnel. Even state-of-the-art ETDR and SIEM tools that provide many alerts and parent-child process genealogy flows transfer analysis and decision making to security analysts. These products require additional “analysis clicks” per incident during the analysis and investigation process and hence increase opportunities for error.
- Synthetic replication environments can often be bypassed by sophisticated targeted attacks.
- Even though threats have multiplied in volume and complexity year after year, our ability to respond quickly has not improved proportionally. There are “time to market” challenges with reactive signatures and rule updates approaches when dealing with zero-day attacks.
- Good (or even average) threat researchers and security analysts are hard to find.
Real Protect: a new approach to detecting targeted attacks
To address the challenge of targeted attacks, McAfee Labs has developed Real Protect, technology that takes a balanced approach to detecting sophisticated and zero-day malware. It is automatic, it reduces dependence on malware researchers to analyze malware and write signatures, it provides signatureless detection of zero-day malware, and it continues to detect “garden variety” malware with the same accuracy and performance that comes with antimalware scanners.
Real Protect uses both static and dynamic program attributes to precisely characterize program behavior. Based on hundreds of static file attributes and several thousand dynamic feature attributes, Real Protect continuously learns multiple classification models from the hundreds of thousands of malicious and clean programs seen by Intel Security. Real Protect does not rely on any single machine-learning algorithm but uses an ensemble of algorithms from the supervised and unsupervised classes of machine learning.
Real Protect implements a cloud-assisted endpoint architecture. The endpoint runs a very lightweight endpoint sensor while the machine-learning classification activity runs in the cloud. Hosting machine-learning models in the cloud not only allows us to learn new emerging program behaviors and frequently update our machine-learning models, but it also enables us to track and monitor attempts by malware authors who repeatedly test new malware samples in an effort to bypass detection by Real Protect.
The Real Protect client traces the execution of programs and all side effects caused by them on the endpoint. Because malware typically downloads and executes several other programs, Real Protect records parent-child relationships by tracking every child and grandchild spawned in the system.
Real Protect also collaborates with antimalware scanners to improve classification. Once Real Protect makes a “conviction” decision, it both blocks the program and automatically “rolls back” the side effects caused by the malware. In addition, the antimalware scanner automatically “cleans” any complex parasitic virus infections detected in the system.
Real Protect is disruptive because it does not need to perform offline detonation of advanced malware in synthetic replication environments.
Real Protect technology has been released in the McAfee Stinger tool. It can be downloaded here.