Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/23/2019
02:30 PM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

When Every Attack Is a Zero Day

Stopping malware the first time is an ideal that has remained tantalizingly out of reach. But automation, artificial intelligence, and deep learning are poised to change that.

The collective efforts of hackers have fundamentally changed the cyber defense game. Today, adversarial automation is being used to create and launch new attacks at such a rate and volume that every strain of malware must now be considered a zero day and every attack considered an advanced persistent threat.

That's not hyperbole. According to research by AV-Test, more than 121.6 million new malware samples were discovered in 2017. That is more than 333,000 new samples each day, more than 230 new samples each minute, nearly four new malware samples every second.

When malicious, morphing malware is unleashed at that scale, traditional defenses are quickly overwhelmed. Signature-based detection only works for known threats. Sandboxing-based detection techniques can't keep up because there isn't enough time and resources to analyze and identify attack signatures when your enterprise is being bombarded with malware variants that have never been seen before.

Stopping malware attacks the first time is an ideal that has remained tantalizingly out of reach, and so success measured over time became the standard—a standard that has been obviated by the insidiously effective nature of malware. If an attack succeeds once but is stopped on 99 subsequent attacks, that's a 99% success rate. To achieve that, however someone has to be "Patient Zero." Someone must take one for the team so that the intelligence gained from that first attack can be shared and used to prevent subsequent attacks. But when attacks are launched at a massive, global scale, and when there are more than 121 million new samples every year, there's never just one Patient Zero. And it's no fun if you happen to be among them.

Thanks to advancements in the development of automation, artificial intelligence and deep learning, there may be hope. (Editor's note: Blue Hexagon is one of several early innovators developing security products based on deep learning.)

Deep learning is a type of machine learning that uses artificial neural networks to make decisions. Artificial neural networks are not new, but recent advancements in processing have increased their capabilities. At the same time the costs of the underlying tech have lowered, putting deep learning applications within the reach of many industries — including cybersecurity. In fact, deep learning's capabilities are an ideal application for addressing many of the challenges that continue to stymie efforts to secure networks against hacking's daily onslaught.

Fundamentally cybersecurity is about data and patterns, and there is a huge pool of threat data available through threat intelligence services and repositories that has been aggregated over the years and that can be used to inform deep learning-based defenses. By exposing neural nets to the vast threat data set, deep learning can learn to identify malicious traffic, even if the specific attack is brand new.

This is not theoretical. Deep learning has been applied at network entry points — both on-premises and in the cloud — to inspect traffic in early, live customer deployments, where it has successfully detected and blocked polymorphic malware, including Emotet variants, on first encounter. The underlying architecture ensures that threat analysis, verdict, and prevention occur in seconds, keeping malware out of the network in real time.

It's early days yet, and while there has been no independent testing disclosed to date, the potential for deep learning to make a quantum leap is in evidence. In our lab and beta test environments, we have consistently achieved nearly 100% detection rates for all threats encountered, including both known samples and zero days, regardless of OS or application. We are also pursuing independent testing to verify these results.

This is important because hackers have developed techniques to evade and defeat traditional defenses such as sandboxes and signatures. These results suggest that the industry may have reached a point where stemming the tide of threat escalation is achievable and the traditional game of cybersecurity whack-a-mole — where threat actors create and distribute new malware, security vendors identify the new strain and distribute its signature, and threat actors would respond by creating more new malware strains — may be at an end.

When attackers realized they could use automation to generate and distribute malware variants faster than the industry could react, they embraced their new ability with enthusiasm. If deep learning gives our industry the means to return fire and blunt their attacks with overwhelming speed and intelligence, we should likewise embrace our newfound power.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FabricGuy
100%
0%
FabricGuy,
User Rank: Apprentice
4/27/2019 | 9:10:11 PM
Re: Rational post.... Have you seen how Fortinet deals with this challenge?
I would love to tlak to you more about why the amount of virus/malware per week is not relevant when you do not have to create unique signatures for each variant.  Fortinet has patented technology that allows a core signature to match multiple variations where a typical A/V database has to contain a signature for every variant.  That large number of 1.8 million shrinks considerably down when you don't have to track each variation of the same family.
Saumitra Das
100%
0%
Saumitra Das,
User Rank: Author
4/26/2019 | 2:56:41 AM
Re: Rational post.... Have you seen how Fortinet deals with this challenge?
Yes I have seen how several techniques have been used to deal with this including more complicated hashing techniques, complex signatures applied on more involved static analysis involving emulation or unpacking (like CPRL). While these are very interesting ways to deal with these challenges, in my opinion, they do not scale to the current threat landscape where we see a high degree of automation and millions of threats every single day. As an example, despite advancements like CPRL, documentation online touts the following - 
  • 1.8 Million new and updated AV definitions per week
  • Hourly updates of the AV signature database

Clearly if signatures need hourly updates and millions new per week, the existing signatures are not able to generalize to the scale of attack creation in the threat landscape despite the innovation in the nature of signatures. If that was the case, one should not need to update signatures so often.

Additionally, sandboxing is proposed to handle the real "unknowns" which are not captured by traditional "one signature, one variant" technique or CPRL. But that product has several caveats like max file sizes and a conserve mode (to reduce file types analyzed when sandbox is loaded). If CPRL could handle all the variants, I would assume the sandbox should have very few unknowns to deal with and not have these caveat and throughput concerns. Ideally, if signatures could generalize so well, one should not even need a sandbox appliance since there would be so few true unknowns that a cloud sandbox would suffice.

My opinion is that while techniques like CPRL are a meaningful and necessary improvement over the "one signature, one variant" technique, the current threat landscape calls for a level of generalization to cover attacks that is at the same scale as that of the attackers. This is not just needed for new unkown variants but also to cover the existing known attacks. Fitting the known attack signatures into perimeter protection without degrading throughput is as much a problem as detecting new variants.  
FabricGuy
100%
0%
FabricGuy,
User Rank: Apprentice
4/25/2019 | 11:28:36 AM
Rational post.... Have you seen how Fortinet deals with this challenge?
Do a google search for "fortinet CPRL" - Compact Pattern Recognition Language
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...