Defending Against Custom Malware: The Rise of STAP
By Charles Kolodgy
How do you defend against something that's never been seen before? That's the key question organizations struggle with. A decade ago, the first victims of any worm or virus outbreak had difficulty defending against a brand-new threat, leaving resources vulnerable until the attack could be detected and signatures created. Today the ultimate problem is the same, but the level of difficulty is considerably higher. Attacks used to be massive and indiscriminate, trying to catch anyone that had the vulnerability exploited by the malware. Once the new attack was discovered, one set of defenses could be deployed to neutralize the threat. Organizations that were not exploited would receive updated signatures to allow their perimeter and endpoint defenses to thwart the threat.
The environment has evolved from quick smash-and-grab tactics which exploit targets of opportunity to one that has targets of choice. Actors such as criminal organizations and nation states are interested in the long haul. They create specialized malware, intended for a specific target or groups of targets, with the ultimate goal of becoming embedded in the target's infrastructure. These threats are nearly always new and never seen before. This malware is targeted, polymorphic, and dynamic. It can be delivered via Web page, spear-phishing email, or any other number of avenues. The ultimate goal is typically data exfiltration, which lends itself to a low and slow approach where attacks can go unnoticed for long periods of time. In the example of the Shady RAT attack, intrusions went unnoticed for years. The desktop is typically not the ultimate target for an attack, but rather an entry point from which to escalate privileges and move laterally throughout the target organization, all without being detected. When coupling zero-day exploits and zero-day malware, attackers have an enormous head start against traditional defenses.
While methods vary, the commonality of these attacks is they are created to avoid detection by mainstream security technologies, such as antivirus, firewalls, and content inspection gateways. Following the emergence of these specialized threats, a new category of security technology aimed at detecting, analyzing, and preventing these threats has emerged. IDC is defining this market as Specialized Threat Analysis and Protection (STAP). Products within this market must use a predominantly signature-less technology (i.e., sandboxing, emulation, big data analytics, containerization) to detect malicious activity. These solutions can be based at the network level, on the endpoint, or both, and scan both inbound and outbound traffic for anomalies including botnet and command and control traffic. This market also includes products that allow for the reverse engineering and forensic analysis of discovered malware.
This new category leverages a variety of techniques to collect information around behavior, communication, activity, reputation, and other factors in order to detect the seemingly undetectable. Many of the products in this category attempt to solve the same problem (or some aspect of the same problem) by leveraging a different core technology. IDC puts the products into three general categories:
- Virtual sandboxing/emulation and behavioral analysis are increasingly being deployed to detect advanced malware. Since the targeted malware is designed to avoid signature based defenses, determining how the file will behave becomes increasingly important. Suspicious files can be sent to a virtual environment (either locally or in the cloud) where activity is analyzed to determine if registry keys are modified, processes are changed, or unexpected outbound communication is attempted. Finally, network traffic can be monitored for anomalous behavior, such as communications with command and control servers or with other resources on, or segments of the network that are outside the bounds of normal activity.
- Virtual containerization/isolation addresses the threat of advanced attacks from the endpoint. Solutions that follow this framework essentially forgo trying to prevent malware from breaching the organization but work to prevent malicious activity by limiting Internet connectivity or ration system resources. Applications and tasks are segmented and verified. When malicious activities occur, the segmentation can be locked down to prevent the malware from spreading or "phoning home." Eventually the malware can be removed from the environment and evaluated fully.
- Advanced system scanning also focuses on the endpoint, but rather than segmenting resources, lightweight agents examine system behavior for signs of malicious activity. This can be done by watching the operating system for registry modifications, questionable processes, or other signs, or by analyzing the actual physical memory for malicious activity. These solutions are designed to be lightweight so as to not impact performance and retain a stealthy posture on the device to prevent the malware's own stealth defense mechanisms from kicking in.
When dealing with advanced malware there is no magic bullet. However solutions must be put into context on what they provide. They need to be able to identify the malware as quickly as possible in order to limit the damage. The deployment of the products must center on the discussion of protecting data and critical assets. The safest course of action is to assume that a breach will occur and determine how best to limit the damage. As is often the case with security, the best defense is multilayered, and STAP is no different. The best solution is a combination of technologies that focus on preventing malware from entering the network, monitor internal traffic for lateral movement and egress traffic for command and control communications as well as data exfiltration, and leverage strong forensics capabilities to facilitate quick remediation. However, the deployment of that combination of technologies would be incredibly expensive, so a thorough evaluation of the existing infrastructure is necessary to determine what type of deployment would be most efficient at protecting the largest number of resources and limiting the most exposure.
Enterprises must not consider STAP as an immediate replacement for existing security technologies. Rather, STAP should be viewed as an evolution of the layered security, or "belt-and-suspenders 2.0." When used in concert with the existing security infrastructure — IPS, firewalls, anti-virus, Web/email gateways, and endpoint protection suites — STAP can help decrease infection rates by identifying the unknown before it becomes a problem.