What Good is a Snapshot in a Continuously Changing Malware Landscape?

By Leon Ward, Field Product Manager, Sourcefire

In my last article I wrote that advanced malware and targeted attacks are profoundly changing how we must protect our systems. It’s no longer enough to focus on visibility and blocking at the point of entry in order to protect systems. Attacks today have reached a new level of sophistication and outbreaks are inevitable. Like the infamous bank robber, Willie Sutton, who disguised himself as a mailman, a maintenance man, even a police officer to gain entry to targeted financial institutions and eluded captors for decades, modern malware can disguise itself as a legitimate application to evade  defences. Later, when a breach occurs, you don’t know what you’re looking for. To contain and stop the damage, you need a broader approach to IT security that enables continuous visibility and control. Because once you “see it,” then you can “control it” and “protect it.”

Think for a moment about how today’s air transportation safety procedures have evolved as we’ve become savvier to potential threats. Airport security checkpoints are essential to the process of keeping threats off of our airplanes. However, the addition of air marshals and ongoing training of in-flight personnel to spot suspicious behavior in the air are also critical to maintaining security. An individual may appear perfectly ‘normal’ and escape notice when passing through initial checkpoints. But behaviors change (i.e., he or she may become increasingly anxious, agitated or angry) as the time approaches to execute an attack.

Now consider today’s malware defences. Technologies like sandboxing share a similar ‘snapshot’ approach to security as airport security gates. It provides a baseline level of protection, but it cannot identify sophisticated malware that appears ‘normal’ in a sandboxed environment – failing to execute or recognising it’s running in a sandbox and modifying its behavior. Yet unlike our air transportation safety program that continues to monitor individuals beyond the checkpoint, once a file is deemed ‘clean’ and leaves the sandbox it is no longer visible. At that point,malware has infiltrated the network and the problem shifts from threat prevention to threat removal; without ongoing visibility, an outbreak is inevitable.

To deal with advanced malware and targeted attacks, organisations must expand their approach to the malware problem to address the entire lifecycle of modern threats—from point of entry, through propagation, to post-infection remediation. Obviously, you still need a first line of defence that includes malware detection; the ability to identify files as malware at the point of entry and remediate accordingly is a fundamental first step. But you also must identify technologies that extend visibility and control through to propagation and post-infection remediation. Let’s take a closer look at these phases of the malware lifecycle and technologies that can help increase protection.

Propagation. Malware that gets through the first checkpoint will change its behaviour, perhaps immediately but perhaps not for days, weeks or even months. You need solutions that will continuously monitor files and identify and analyse suspicious changes in behaviour, automatically cross-checking against other pieces of contextual information such as bandwidth usage, time of day and file movement for greater intelligence. Continuous file visibility and analysis is critical to understand how to contain outbreaks and block future attacks.

Post-infection Remediation.Once you’ve identified suspicious behavior, you need solutions that can automatically evaluate the file against the latest threat intelligence and retrospectively alert you to malware. You can’t afford system performance delays so technologies that can leverage the cloud to analyse individual files without a full system scan will save computational cost.Next you need to understand the scope of the breach—what was the file’s trajectory?Gaining visibility into which systems the file has touched and if it has been executed gives you actionable intelligence to contain the outbreak. Armed with this insight you can quickly take steps to remediate—quarantining files previously thought to be safe but now deemed to be malware and performing clean-up.

Malware detection is a critical component to any defence strategy, but it isn’t fail-safe. Without continuous file analysis and retrospective alerting you’ll remain in the dark until your systems begin to significantly falter. When an attack does become evident you’ll be challenged to know how to contain and stop the damage.

Leon Ward
Field Product Manager
Sourcefire

Leon works as a field product manager for Sourcefire. Prior to joining Sourcefire, Leon was involved in the design and development of open source (OSS) Intrusion Prevention Systems. Leon applies his strong background in UNIX security and protocol analysis to overcome the challenges of network security monitoring in the enterprise, specifically in the areas of network intrusion detection, threat mitigation, event analysis and vulnerability assessment. In the little spare time Leon finds, he is the lead contributor to the open source network traffic forensics project OpenFPC (Open Full Packet Capture).

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), a world leader in intelligent cybersecurity solutions, is transforming the way global large- to mid-size organisations and government agencies manage and minimise network security risks. With solutions from a next-generation network security platform to advanced malware protection, Sourcefire provides customers with Agile Security® that is as dynamic as the real world it protects and the attackers against which it defends. Trusted for more than 10 years, Sourcefire has been consistently recognised for its innovation and industry leadership with numerous patents, world-class research, and award-winning technology. Today, the name Sourcefire has grown synonymous with innovation, security intelligence and agile end-to-end security protection. For more information about Sourcefire, please visit www.sourcefire.com.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.