If you’ve been in the IT/Cyber Security industry for any length of time like we have, you’ll know that security doesn’t stand still. In fact, things are constantly evolving at a rapid pace. The reason for this is simple, threats are evolving even faster.
In Cisco’s 2017 annual cyber security report they found that 95% of malware was less than 24 hours old, which indicates that malware evolves at a frightening rate. This means that techniques used to identify and protect against these threats also need to move forward at a similar rate.
For years, signature based detection had long been the favoured method of detecting and protecting the enterprise from Malware, and for a long time, whilst not being foolproof, has been very effective.
Signature-based detection is however somewhat limited as it will only protect from known Malware and relies on huge signature databases being updated each time a new threat is identified. These databases can hold information on millions of different strains of Malware and updates are sent out to customers regularly, although not regularly enough to keep up with the amount of new threats identified each day.
In Q3 2016 alone, 18 million new malware samples were captured.
The average length of time a strain of Malware lays dormant on a network is 200 days, however not all Malware is created equal. As we saw with the recent outbreaks of WannaCry and NotPetya the payload is delivered and acted upon extremely quickly which we are finding happens more often.These are examples of one specific form of Malware, Ransomware, but other Malware may have different motivations for being on the network and may be required by design to lay dormant quietly gathering information.
As the majority of Malware we see is new or a close relative of an already existing strain then it leads us to believe that we need to look at new ways of detecting these new variants as they are developed and executed on an almost industrial scale.
Throw into the mix that the amount of Malware designed to deliver its payload quickly is rising (we see this as being common with more modern Malware) and some of the more advanced malware can alter its signatures to avoid detection, means that security professionals can’t wait for the latest signature database updates to be released, they need to be prepared for the latest attack before it happens.
This is where behavioural analysis comes into play. Due to the amount and complexity of Malware, security vendors quickly saw the need to change the way they were detecting Malware otherwise they would be quickly left behind by the threat developers, which would spell disaster for millions of businesses around the world.
Many vendors now offer products that use behavioural analytics in conjunction with signatures to detect Malware. Some offer their products as a feature pre-built into their existing suites and others offer standalone products sold as an add-on.
These products look out for abnormal patterns of behaviour as potential threats enter the network. They will look at behaviours such as observing keystrokes, sending out of multiple emails, attempting to alter files, or generating autorun files on network drives or removable media.
Some of these in isolation may be enough for an EndPoint Security vendor to flag up an issue, however others may want a combination of factors to be present before flagging up a file as potential Malware.
Although Signature based detection as mentioned previously has its limitations, it still has its uses, especially in detecting known malware, however here at ITB we actively encourage our customers to use a combination of signature and behavioural based detection to identify potential threats.
This combination, along with a good sandbox, will go some way in protecting an organisation from online threats.
To speak with one of our Security Specialists, please feel free to give us a call on 01865 595510.