No one will argue that hackers and malicious actors are getting more dangerous and sophisticated in their attacks, effectively rendering old methods of protection ineffective. The traditional approach to defending computers against malware is to store databases of virus signatures, and to scan new files introduced into the system for the signs of known threats.
This means that your defenses are only as good as your stock of virus definitions, which unfortunately isn’t enough in today’s threat landscape.
Smart malware are emerging every day, a breed of virus that changes shape, evades signature scans and is even shrewd enough to move past some of the more advanced security solutions that monitor process behavior instead of checking file contents. Viruses that encrypt or morph their binaries regularly; viruses that bypass the security sandbox environment; and malicious code embedded in macros and non-executable files are just some of the new flavors of threats that surround you as you surf the web and read your emails.
Dealing with these constantly changing forms of cyber-evil requires security tools that can anticipate the unknown and protect you against undiscovered malware. Here are four tools that go into the mind of hackers and malware developers to devise totally new methods that outsmart both malware and their creators.
Minerva’s anti-evasion technology
In response to the constantly changing signatures of malware, security vendors invented behavior-based security tools, software equipped with an ultra-secure sandbox that examines the functionality of a process before allowing it to gain access to system resources.
Reciprocally, malware developers created viruses that evade such security and forensics tools by remaining dormant through the sandbox and not revealing their evil nature while under the scrutiny of security software. Once released from the sandbox, they start unleashing their real damage. Protecting systems against such malware is extremely challenging, and detection—if it ever happens—is usually a tad bit late, after the damage is done.
The engineers at Minerva Labs, a cybersecurity startup that came out of stealth in January, have developed an endpoint security tool called that uses malware’s evasion techniques against it. The company, whose motto is “Don’t Chase, Prevent,” simulates the existence of multiple security and forensics tools such as anti-malware solutions and Intrusion Prevention Systems in order to create the semblance of an extremely hostile environment for the malware.
Having been fooled into thinking it’s constantly being examined by security tools, the malware avoids unpacking and executing its malicious payload, and will remain in evasion mode indefinitely until it is freed from the sandbox—which will never happen.
Minerva’s solution neutralizes the advantage gained by malware through evasion techniques, and makes the prevention of attacks possible without detecting malware or having prior knowledge about it. It has successfully proved its worth by blocking some of nastier species of ransomware that have managed to sneak their way past conventional security tools.
One of the other advantages of Minerva’s innovative technique is that it doesn’t put any strain on the system. The endpoint solution is compiled into a passive, lightweight executable with a very low memory footprint, which complements other security tools installed on workstations.
CyActive’s predictive algorithm
For malware developers, circumventing signature-based security tools is as easy as recompiling their payload with slight modifications. In fact, in its 2016 Internet Security Threat Report, Symantec revealed that it had found 430 million new unique pieces of malware in 2015, a 36 percent increase from the year before.
What’s interesting is that 70 to 90 percent of these new malware are in truth modified variants of older ones. This is due to the fact that it is much easier for malware developers to recycle old viruses than to develop new ones and reinvent the entire attack chain. Even new, fresh-out-of-the-oven malware use a lot of borrowed code and elements from previous tried and tested specimens.
Developers at CyActive have taken advantage of this reality to develop a security technology that predicts how malware will evolve, and thwarts the attempts of malware developers at reusing old code. CyActive gathers malware information from various sources and, based on bio-inspired algorithms and its understanding of hacker behavior, it forecasts hundreds of thousands of future malware derivatives. Consolidated in its cloud, the knowledge is then used to train “smart detectors” that prevent attacks against endpoints.
This approach takes away the unfair advantage that enables attackers to generate new malware by changing a few lines of code, and puts them on par with defenders.
Invincea’s deep learning engine
Invincea Labs is another company that takes on the challenge of discovering and blocking unknown malware, though it uses a different approach. The firm, whose CEO, Dr. Anup Ghosh, has a history working as cybersecurity expert at DARPA, uses deep learning to detect and block unknown malware that evade signature-based security solutions. Deep learning is an advanced form of artificial intelligence used by large companies to perform complicated tasks such as facial recognition and natural language processing.
Invincea extracts capabilities and features of programs before they execute, and feeds the information into its deep learning algorithm, which rates the file based on its similarity with known malware. Files with higher scores indicate greater likelihood of being a malware and are blocked. The entire file analysis and decision making process takes less than 10 milliseconds.
The deep learning technology works in conjunction with behavioral monitoring to drive greater efficacy and stop executable-less attacks such as weaponized MS Office files. This is important since a considerable percentage of advanced attacks start as file-less and most security tools are blind to this threat.
A paper by the researchers from Invincea says that their deep learning system was able to detect new malware with a reliability of 95 percent and an error rate of .01 percent.
One of the benefits of Invincea is its capability to integrate with Security Information and Event Management (SIEM) tools in order to improve efficiency and increase visibility without overwhelming analysts.
Morphisec’s moving target defense
No matter how hard you try to secure your system against malware, vulnerabilities will remain. Whether it’s an unknown zero-day exploit, a browser update that’s slipped past you, or a legacy software with known bugs that you’ve installed and forgotten about, hackers will eventually find a way into your system, especially since the epidemic presence of botnets allows them to stage automated attacks against multiple targets at once.
After all, as the saying goes, you have to win every time. Hackers only have to win once.
Based on this idea, cybersecurity firm Morphisec has tailored its Protector security tool to stop attackers in their tracks, in the first step, before they can gain an initial foothold in the system. The method employed, dubbed “Moving Target Defense,” conceals known and potential vulnerabilities in the system by randomly scrambling the memory surface of processes as they’re loaded.
This effectively makes it near-impossible for malware to find a zero-day or unpatched vulnerability in the system.
Ironically, this is the same method malware developers use to hide their malicious payload from security solutions, which hints at the deep knowledge that the Morphisec team has on the mentality and mechanism behind malware development and functionality.
The Moving Target Defense technique turns the table against malware developers, having them chase vulnerabilities instead of being chased by your antivirus.