It used to require advanced technical skill and determination to create and deploy sophisticated cyberattacks. Today, cybercrime has evolved to incorporate an entire underground economy in which tools and services for nefarious activities can be purchased or rented. This has made advanced and highly evasive threats more accessible and commonplace. Evasive threats are built to identify commercial malware analysis environments, commonly known as sandboxes, and will pause malicious activity until no longer at risk of detection.
Organizations struggle to identify these highly evasive threats and often fail to prevent them. Here are three key challenges businesses and security tools face when combating evasive threats:
Security professionals have developed defenses to detect cyberthreats, such as virtual malware analysis environments, while threat actors have simultaneously incorporated automation and commodity hardware into well-defined “playbooks” that are available in the cybercrime underground. This has removed barriers for ease of implementation by a variety of threat actors ranging from less sophisticated novices to advanced attackers and organized nation-states. As a result, there has been an increase in the number of sophisticated attacks and the likelihood of successful data breaches.
Evasive malware uses malicious code that hides its identity and intentions from detection by traditional malware analysis environments. The attacker searches for indicators that the malware is in a virtual environment. They look to see if the file is detonated and observed; lack of valid user activity such as clicking on a keyboard, moving a mouse or plugging in a USB stick; or use of virtualization technology like username, disk space, etc.
Open source has provided a revolutionary way to develop software. However, when it comes to threat analysis, open source has become more of a detriment. The majority of malware analysis environments utilize open source, and attackers have leveraged known vulnerabilities to their advantage. Additionally, malware authors design threats with the ability to spot and evade detection techniques used by popular hypervisors.
Palo Alto Networks® Next-Generation Security Platform approaches evasive threat detection and prevention with these three things in mind. An integral part of the platform is WildFire® threat analysis service – incorporating static analysis; dynamic analysis in a custom-built virtual analysis environment; machine learning; and a bare metal analysis environment for full hardware execution.
Also part of the Next-Generation Security Platform is AutoFocus™ contextual threat intelligence service, which provides the information necessary to understand why, where and how an attack will impact a network. It answers questions like “Who is attacking?” “What tools are they using?” and “How is this going to impact the network?” and automatically prioritizes targeted attacks. The result is faster analysis, easier correlation and rapid incident response.
Palo Alto Networks® Next-Generation Security Platform spans the network, cloud and endpoint, automatically preventing even the most evasive known and unknown malware and zero-day threats with high efficacy and near-zero false positives.
To learn more about defending against evasive attacks, read the Rethink Your Strategy to Defeat Evasive Attacks white paper.
More Threat Articles: