By every approximation, Advanced Persistent Threats (APTs) are rising at an exponential rate. A massive industry of cybersecurity products, which go far beyond early-generation anti-virus and firewall solutions, has sprung up to combat and address these new threats at the various stages of the exploitation lifecycle.
Although APTs may vary significantly from each other, there's one clear common denominator that is at the heart of every successful attack.
Traditional defenses, even the most advanced ones such as sandboxing, have all been based on the assumption that using advanced techniques will be able to detect "malicious intent" and separate it from "good content." This game of cat and mouse is what the industry is experiencing these days and one that is won by the attackers as they continue to evolve their techniques to work around "heuristics" detection.
These types of technologies, however, have a high rate of misdetection and false alarms.
But what happens if there is a "weakest link" -- common for all or most cyber attacks -- that could invert the situation, giving the defender the upper hand?
Finding common ground in APT
In order to establish a beachhead, attackers need to get a "piece" of executable code, and active content to a machine in the target network. They will use any number of methods to get a user to access malicious content, such as spear phishing. To avoid detection, the executable code -- shellcode -- is hidden in data objects, such as Office documents, and executed by exploiting vulnerabilities in common applications -- Adobe PDF Reader, for example.
The impact can be staggering, with cybercrime damages expected to hit $6 trillion annually by 2021, according to a report, Cybersecurity Venture.
Prevent rather than remediate
APTs continue to use a familiar route to achieve exploitation. According to Mandiant's M-Trends, details of the exploitation lifecycle can be summed up as follows:
- Step 1: Reconnaissance
- Step 2: Initial Intrusion into Network
- Step 3 Establish Network Backdoor
- Step 4: Obtain User Credentials
- Step 5: Install Various Utilities
- Step 6: Privilege Escalation/Lateral Movement/Data Exfiltration
- Step 7: Maintain Persistence
However, it's Step 2 -- the initial intrusion -- that remains the critical step for APT operators.
Gaining a beachhead in the target environment is the primary goal of the initial intrusion. Once a network is exploited, the attacker usually places malware on the compromised system and uses it as a starting point or proxy for further actions. Malware placed during the initial intrusion phase is commonly a simple downloader -- a basic Remote Access Trojan or a simple shell.
The problem is that few cybersecurity tools can detect shellcode that uses dynamic packers for which no known signatures and patterns are available.
It's clear that preventing an intrusion early -- before the need for costly remediation -- is the best, and cheapest, practice for fighting APTs. In 60% of cases, attackers are able to compromise an organization within minutes, but it takes most businesses nearly 200 days to detect a breach on their network, which means remediation costs skyrocket.
Detecting the evasive
Attackers still possess the edge, particularly in zero-day exploits, despite considerable security investment. Traditional cybersecurity software applications often become counter-productive by identifying malicious threats and analyzing the questionable behavior within the threat's target environment.
To keep ahead of prevention itself, you need an elegant security protection architecture that is evasion-proof.
By systematically scanning for hidden code instructions instead -- or any other commands that might indicate malicious intent -- an evasion-proof architecture will not open or execute incoming files. By looking at the code verses the exploit within, no doomsday device will be set off and the platform can catch any suspicious code, place it in quarantine and review at a later time.
Ultimately, no malicious code can "evade" detection because it never gets a chance to execute itself.
Similarly, such a platform would analyze and interpret script by using a proprietary limited interpreter, that evaluates every single statement line by line. Every possible flow of execution, including conditional branches are being exposed and normalized.
When it comes to malicious URLs, the platform could accurately detect and differentiate between hyperlinks and automatically invoked remote objects, yielding information on the purpose of every remote object, and its behavior. It would determine the type of embedding used, even without the need to fetch the actual remote file or object, figure out its level of maliciousness in real time, and block even the most evasive malware.
Why worry about scores based on heuristics or behaviors or false-positive or false-negatives when you can get a deterministic outcome with detailed meta data for deep forensic analysis?
By not relying on underlying technology stack variations or requiring a carefully curated environment for runtime analysis, an evasion-proof architecture is incredibly effective in stopping today's attacker whether known or unknown, and is, as such, future ready as well.
— Boris Vaynberg is CEO and a co-founder of Solebit. His previous experience includes positions at Elbit Systems' Intelligence and Cyber Solutions division and Comsec Consulting's Information Security division. He also served for six years in an elite technology unit of the Israel Defense Forces (IDF). .