How cyberattackers evade threat signatures – The case for behaviour-based threat detection

How cyberattackers evade threat signatures – The case for behaviour-based threat detection

Virus detected hologram on digital background. Danger alert, antivirus, cyber attack, worm infection and warning abstract concept. Futuristic 3d illustration.

Nimble attackers can easily create and hide their exploits in an infinite number of ways. Ammar Enaya, Regional Director – Middle East, Turkey and North Africa at Vectra, says: “The limitations of signatures should be complemented with automated threat management models that continuously learn new attack behaviours and adapt to network changes.”

There’s an alarming cybersecurity gap between the time an attacker evades prevention security at the network perimeter and the time when an organisation discovers that key assets have been stolen or destroyed. This is the attacker dwell time gap and is measured in weeks or months for most organisations who are breached.

Attackers have a big advantage in this gap. Traditional, widely embraced approaches to detecting threats – including signatures, reputation lists and blacklists – are inherently reactive, ceding the first-mover advantage to cybercriminals.

The inherent limitations

Signatures have had a good run, especially at detecting large-scale commodity threats like command-and-control communications of botnets, automated crawlers and vulnerability scanners that scour the Internet.

But the signature model is limited and leaves multiple blind spots for a barrage of perilous attacks. Attackers who value stealth, over the number of systems they control, are finding ways around signatures. And unfortunately, these sophisticated attackers tend to think more strategically and pose a significant risk to organisations.

Understanding the blind spots caused by signatures requires understanding the weaknesses. For one, signatures, reputation lists and blacklists only recognise threats that have been previously seen. This means someone needs to be the first victim, and everyone hopes it’s not them. Detecting threats usually depends on key security applications installed at endpoints and gateways. New threats are caught in virtual sandboxes and new signatures are generated on-the-fly. The process takes time and malware can gain a foothold as endpoints and networks are left vulnerable.

Secondly, signatures have no response to attackers that have already penetrated your network, as they live off of the land using common protocols and services, and not the malware they used to find a way in. Signatures and other Indicators of Compromise won’t help you identify and stop a malicious insider with legitimate access and legitimate tools. Attack behaviours and deviations from normal activity can’t be detected with signatures.

Custom malware also makes its way around signatures. Most malware is unique to the organisation under attack, which means it won’t be caught by signatures. According to the 2015 Verizon Data Breach Investigation Report, 70% to 90% of malware samples have traits that are exclusive to the targeted organisation, and this approach of customisation and bespoke tooling has only grown since then.

Attackers don’t handcraft malware; they modify existing malware just enough to throw off signature-based defences. Malware signatures work by creating hashes of known bad files, so the smallest modification prevents a match. Attackers simply add a few bits to a malware file so the hash won’t recognise it as malware. These changes occur automatically with no human interaction.

Vast volumes of seemingly custom malware are generated daily in this way. The key is that while the malware’s bit pattern may differ, its behaviour is the same. The changes, which are designed to avoid signature-based detection, are superficial.

Signatures also miss zero-day attacks that target vulnerabilities in software or operating systems, such as Heartbleed or Duqu 2.0. These vulnerabilities are virtually impossible to detect via signatures because they only stop known threats.

Creating new signatures is a tried and tested solution. It’s the bedrock of everything from antivirus software to next-generation firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). However, they are always several steps behind attackers and can create a false sense of security.

Focus on attacker behaviour

Attackers can change malware, search for unknown vulnerabilities and steal data from systems they have permission to access. But they can’t change their attack behaviours as they spy, spread and steal from a victim’s network.

These behaviours can be observed, giving organisations real-time visibility into active threats inside their networks. Today, the savviest organisations complement their signature-based defences with automated threat management. They stay up-to-date on prevalent attacker Tactics, Techniques and Procedures (TTPs) from evidence-based sources like the Mitre ATT&CK framework, to hypothesise possible attacks and put appropriate controls in place.

Spotting the weak signals of an attack, hidden in the cacophony of communications, isn’t easy and requires smart, adaptive software. By combining data science, Machine Learning and behavioural analysis, automated threat management detects malicious behaviours inside the network, regardless of the attacker’s attempt to evade signatures and whether it’s an insider or outsider threat.

By focusing on attack behaviours and actions, automated threat management can identify every phase of an active attack – command and control, botnet monetisation, internal reconnaissance, lateral movement and data exfiltration – without signatures or reputation lists.

Behaviour-based threat detections also identify internal reconnaissance scans and port scans, Kerberos client activity and the spread of malware inside a network. Data science models are effective at neutralising an attacker’s use of domain-generation algorithms to create an endless supply of URLs for their threats.

Cybercriminals always look for new ways to conceal their attack communications and one of the most effective – and fastest-growing – ways to do this is by hiding within another allowed protocol. For example, an attacker can use benign HTTP communication but embed coded messages in text fields, headers or other parameters in the session. By riding shotgun on an allowed protocol, the attacker can communicate without detection.

However, the detection models inherent in automated threat management can reveal these hidden tunnels by learning and analysing the timing, volume and sequencing of traffic.

Staying ahead of network threats

Nimble attackers can easily create and hide their exploits in an infinite number of ways. Consequently, the limitations of signatures should be complemented with automated threat management models that continuously learn new attack behaviours and adapt to network changes.

It’s time to jump off the signature hamster wheel, gain visibility and an understanding of the previously unknown inside your networks and cloud, and get ahead of attackers by automatically detecting and analysing the behaviours and actions that belie an attack and mitigate the threat before damage is done.

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive