Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/23/2019
02:30 PM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

When Every Attack Is a Zero Day

Stopping malware the first time is an ideal that has remained tantalizingly out of reach. But automation, artificial intelligence, and deep learning are poised to change that.

The collective efforts of hackers have fundamentally changed the cyber defense game. Today, adversarial automation is being used to create and launch new attacks at such a rate and volume that every strain of malware must now be considered a zero day and every attack considered an advanced persistent threat.

That's not hyperbole. According to research by AV-Test, more than 121.6 million new malware samples were discovered in 2017. That is more than 333,000 new samples each day, more than 230 new samples each minute, nearly four new malware samples every second.

When malicious, morphing malware is unleashed at that scale, traditional defenses are quickly overwhelmed. Signature-based detection only works for known threats. Sandboxing-based detection techniques can't keep up because there isn't enough time and resources to analyze and identify attack signatures when your enterprise is being bombarded with malware variants that have never been seen before.

Stopping malware attacks the first time is an ideal that has remained tantalizingly out of reach, and so success measured over time became the standard—a standard that has been obviated by the insidiously effective nature of malware. If an attack succeeds once but is stopped on 99 subsequent attacks, that's a 99% success rate. To achieve that, however someone has to be "Patient Zero." Someone must take one for the team so that the intelligence gained from that first attack can be shared and used to prevent subsequent attacks. But when attacks are launched at a massive, global scale, and when there are more than 121 million new samples every year, there's never just one Patient Zero. And it's no fun if you happen to be among them.

Thanks to advancements in the development of automation, artificial intelligence and deep learning, there may be hope. (Editor's note: Blue Hexagon is one of several early innovators developing security products based on deep learning.)

Deep learning is a type of machine learning that uses artificial neural networks to make decisions. Artificial neural networks are not new, but recent advancements in processing have increased their capabilities. At the same time the costs of the underlying tech have lowered, putting deep learning applications within the reach of many industries — including cybersecurity. In fact, deep learning's capabilities are an ideal application for addressing many of the challenges that continue to stymie efforts to secure networks against hacking's daily onslaught.

Fundamentally cybersecurity is about data and patterns, and there is a huge pool of threat data available through threat intelligence services and repositories that has been aggregated over the years and that can be used to inform deep learning-based defenses. By exposing neural nets to the vast threat data set, deep learning can learn to identify malicious traffic, even if the specific attack is brand new.

This is not theoretical. Deep learning has been applied at network entry points — both on-premises and in the cloud — to inspect traffic in early, live customer deployments, where it has successfully detected and blocked polymorphic malware, including Emotet variants, on first encounter. The underlying architecture ensures that threat analysis, verdict, and prevention occur in seconds, keeping malware out of the network in real time.

It's early days yet, and while there has been no independent testing disclosed to date, the potential for deep learning to make a quantum leap is in evidence. In our lab and beta test environments, we have consistently achieved nearly 100% detection rates for all threats encountered, including both known samples and zero days, regardless of OS or application. We are also pursuing independent testing to verify these results.

This is important because hackers have developed techniques to evade and defeat traditional defenses such as sandboxes and signatures. These results suggest that the industry may have reached a point where stemming the tide of threat escalation is achievable and the traditional game of cybersecurity whack-a-mole — where threat actors create and distribute new malware, security vendors identify the new strain and distribute its signature, and threat actors would respond by creating more new malware strains — may be at an end.

When attackers realized they could use automation to generate and distribute malware variants faster than the industry could react, they embraced their new ability with enthusiasm. If deep learning gives our industry the means to return fire and blunt their attacks with overwhelming speed and intelligence, we should likewise embrace our newfound power.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
FabricGuy
100%
0%
FabricGuy,
User Rank: Apprentice
4/25/2019 | 11:28:36 AM
Rational post.... Have you seen how Fortinet deals with this challenge?
Do a google search for "fortinet CPRL" - Compact Pattern Recognition Language
Saumitra Das
100%
0%
Saumitra Das,
User Rank: Author
4/26/2019 | 2:56:41 AM
Re: Rational post.... Have you seen how Fortinet deals with this challenge?
Yes I have seen how several techniques have been used to deal with this including more complicated hashing techniques, complex signatures applied on more involved static analysis involving emulation or unpacking (like CPRL). While these are very interesting ways to deal with these challenges, in my opinion, they do not scale to the current threat landscape where we see a high degree of automation and millions of threats every single day. As an example, despite advancements like CPRL, documentation online touts the following - 
  • 1.8 Million new and updated AV definitions per week
  • Hourly updates of the AV signature database

Clearly if signatures need hourly updates and millions new per week, the existing signatures are not able to generalize to the scale of attack creation in the threat landscape despite the innovation in the nature of signatures. If that was the case, one should not need to update signatures so often.

Additionally, sandboxing is proposed to handle the real "unknowns" which are not captured by traditional "one signature, one variant" technique or CPRL. But that product has several caveats like max file sizes and a conserve mode (to reduce file types analyzed when sandbox is loaded). If CPRL could handle all the variants, I would assume the sandbox should have very few unknowns to deal with and not have these caveat and throughput concerns. Ideally, if signatures could generalize so well, one should not even need a sandbox appliance since there would be so few true unknowns that a cloud sandbox would suffice.

My opinion is that while techniques like CPRL are a meaningful and necessary improvement over the "one signature, one variant" technique, the current threat landscape calls for a level of generalization to cover attacks that is at the same scale as that of the attackers. This is not just needed for new unkown variants but also to cover the existing known attacks. Fitting the known attack signatures into perimeter protection without degrading throughput is as much a problem as detecting new variants.  
FabricGuy
100%
0%
FabricGuy,
User Rank: Apprentice
4/27/2019 | 9:10:11 PM
Re: Rational post.... Have you seen how Fortinet deals with this challenge?
I would love to tlak to you more about why the amount of virus/malware per week is not relevant when you do not have to create unique signatures for each variant.  Fortinet has patented technology that allows a core signature to match multiple variations where a typical A/V database has to contain a signature for every variant.  That large number of 1.8 million shrinks considerably down when you don't have to track each variation of the same family.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.