Attackers are constantly reusing, modifying, or creating entirely new malware, resulting in large volumes of malware targeting organizations. This also enables attackers to focus on the development of more highly evasive threats, built to detect malware analysis environments and halt malicious activity until they are no longer under analysis. In the meantime, organizations struggle both to keep up with the large volume of malware and to identify and prevent sophisticated attacks.
Detection of evasive threats holds multiple challenges. Evasive threats search for indicators of valid user activity and virtualization technology and will pause malicious activity until no longer at risk of being identified. They exploit known vulnerabilities in open source software and search for detection techniques used by popular hypervisors. As a result, they are becoming highly commoditized and thus more commonly used.
It is essential to rethink the tactics used to detect this modern type of malware. Below are three key things security tools must do to aid in identifying and, ultimately, preventing evasive threats.
To detect highly evasive malware, use a purpose-built virtual analysis environment that incorporates a unique hypervisor and emulator that doesn’t rely on open source or proprietary software. This environment should not show characteristics that would divulge to the attacker that they have been spotted or the malware’s behavior is being observed.
The use of a virtual environment for malware analysis is unavoidable. However, samples displaying evasion techniques in a virtual environment should also be detonated on real hardware systems, also known as bare metal analysis environments. To avoid raising suspicion with attackers, the suspected files should be dynamically steered to the bare metal environment without human intervention.
To combat the rise of highly evasive threats available in the underground economy, organizations should incorporate highly contextual and actionable threat intelligence into their security defenses.
Threat intelligence should come from multiple sources and be correlated and validated for necessary context. Without proper context, threat intelligence merely adds to the noise with overwhelming amounts of raw indicators of compromise. The result is an increase in false positives and negatives, requiring security staff for any actionable response. Additionally, integrating threat intelligence with virtual analysis environments enables rapid, automated prevention, minimizing the need for additional specialized staff.
Palo Alto Networks® Next-Generation Security Platform detects and prevents even the most evasive threats automatically across the network, cloud and endpoint. An integral part of the platform is WildFire™ threat analysis service, which incorporates multiple techniques for evasion resistant malware analysis and automated prevention – static analysis, dynamic analysis via a custom-built virtual analysis environment, machine learning and a bare metal environment for full execution on real hardware.
Also part of the platform is AutoFocus™ contextual threat intelligence service, which provides the information necessary to understand why, where and how an attack will impact a network. It answers questions like “Who is attacking?” “What tools are they using?” and “How is this going to impact the network?” and automatically prioritizes targeted attacks. The result is faster analysis, easier correlation and rapid incident response, ultimately reducing the need for additional IT specialized security resources.
To learn more about defending against evasive attacks, read the Rethink Your Strategy to Defeat Evasive Attacks white paper.
More Threat Articles: