Most traditional security products are built to act based on known threats. The moment they see something that is known to be malicious, they block it. To get past security products that successfully block known threats, attackers are forced to create something that has never been seen before, increasing the cost to execute an attack. How do they do it, and what can we do to prevent both known and unknown threats?
Let’s look at a few scenarios:
Recycled threats are considered to be the most cost-effective attack method, which is why attackers often recycle existing threats using previously proven techniques. What makes these recycled threats “unknown” lies within the limited memory of security products. All security products have limited memory, and security teams choose the most up-to-date threats to protect against, hoping they will block the majority of incoming attacks. If an older threat, not tracked by the security product, attempts to enter the network, it could bypass the security product because it is not categorized as something seen before.
To protect against these “unknown” recycled threats, it is critical to have access to a threat intelligence memory keeper, often placed in an elastic cloud infrastructure capable of scaling to address the volume of threat data. In the event that a security product doesn’t have a particular threat identified and stored, access to the larger knowledge base of threat intelligence could help determine if something is malicious and enable the security product to block it.
This method is somewhat more expensive than recycling threats. Attackers take an existing threat and make slight modifications to the code, either manually or automatically, as the threat actively transitions in the network. This results in polymorphic malware or a polymorphic URL. Like a virus, the malware continuously and automatically morphs and changes rapidly. If a security product identifies the original threat as known and creates a protection for it based on only one variation, any slight change to the code will turn that threat into an unknown.
Some security products match threats using hashing technology, which generates an entirely unique number based on a string of text in such a way that it becomes impossible to get two identical hashes. In this context, the hash value only matches one variation of the threat, so any new variation of the threat will be considered new and unknown.
To better protect against these threats security products need to use polymorphic signatures. Polymorphic signatures are created based on the content and patterns of traffic and files, rather than on a hash, and can identify and protect against multiple variations of a known threat. The focus on the behavior, rather than the appearance of fixed encoding, allows for the detection of patterns in modified malware.
Attackers who are more determined and willing to invest the money will create an entirely new threat with purely new code. All aspects of the cyber attack lifecycle have to be new for an attack to truly be considered a previously unknown threat.
Turning unknown threats into known threats and actively preventing against them happens in a combined environment. First, you need to predict the next attack step and location. Second, you need to be able to develop and deliver protection quickly to the enforcement point in order to stop it.
When a truly new threat enters your organization, the first line of defense is having cybersecurity best practices that are specific to the organization. At the same time, you should be sending unknown files and URLs for analysis. The effectiveness of sandbox analysis depends on the time it takes to provide an accurate verdict on an unknown threat and to create and implement protections across the organization, as well as how your sandbox environment handles evasive threats. Your security posture needs to be changed fast enough to block the threat before it has the ability to progress – in other words, as soon as possible. And to ensure that this threat does not further traverse the network, preventions need to be created and implemented automatically across all security products faster than the threat can spread.
A recent SANS survey reported that 40 percent of attacks have previously unknown elements. The ability to detect unknown threats and prevent successful attacks defines the effectiveness of your security deployment. A true next-generation security platform is agile, quickly turning unknown threats into known protection and prevention on a global level. Automatically sharing new threat data while extending new protections throughout the organization to stop the spread of an attack.
More Threat Articles: