Evasive malware has become a key threat to businesses’ sensitive data. Stealing and selling sensitive data on the Darknet is a lucrative business for hackers, who increasingly rely on evasive malware to penetrate corporate networks.
A study by Verizon found that over 50% of data breaches involve the usage of malware in some capacity. Indeed, some of the largest and best-known data breaches on record, such as Target, Anthem Health, The Home Depot and the U.S. Federal Office of Personnel Management (OPM) were the result of evasive malware running undetected in the network over long periods. These organizations all have large security teams, massive IT budgets and multi-layered anti-malware protections. And yet, in each of these cases these defenses were all circumvented by evasive malware.
Built to Evade
The reason is that modern malwares are engineered to evade traditional anti-malware defenses. Gone are the days of static executable binaries that communicated with a fixed command-&-control (C&C) server over plain text communications. Today’s latest malwares are sophisticated attack tools that include an array of evasion techniques designed to fool, elude, and bypass existing anti-malware defenses.
Some commonly found evasion techniques found in modern malware include:
- Polymorphic (shapeshifting) malware that changes its binary signature very rapidly, thereby evading traditional file scanners.
- File-less malware such as CodeFork run in run-time memory only and leave no footprint on the host.
- Fast-adapting malware such as Nymaim use host spoofing and domain generation algorithms to rapidly change their communication patterns and evade secure web gateways.
- SSL encryption to mask malware communication traffic and bypass data leakage prevention (DLP) mechanisms.
- … And others…
As a result, customers are increasingly exposed to data breaches caused by undetected evasive malware in their networks, and the inevitable massive financial damage that follows. Many customers are covered by industry regulations such as PCI-DSS, HIPAA and others. For example, PCI-DSS requirements for retail and financial organizations impose a fine of $50-90 per every record of compromised cardholder data. Even for medium-sized breaches, this can quickly reach into millions of dollars in fines. Other sources of financial damage include loss of reputation, civil litigation by breached customers, and loss of future sales.
Moreover, new regional regulations such as the EU General Data Protection Regulation (GDPR) imposes major financial penalties on organizations that fail to protect personally identifiable information (PII) of EU entities. GDPR penalties can reach as high as €20 million or 4% of annual global turnover – whichever is higher.
Traditional Defenses are not Enough
With the prevalence of evasive malware in the data-theft kill chain, you would expect that existing defenses would prioritize the detection and identification of zero-day malware, in order to block their activity.
In reality, however, traditional anti-malware defenses are severely limited in their ability to combat evasive zero-day malware because of constraints on how they are designed and deployed. There are a number of common constraints that are shared by many traditional anti-malware defense layers:
- Rely on known signatures: Many defenses such as endpoint anti-virus software, email scanners, and content filtering mechanisms rely on signatures of known threats. As a result, they are unable to detect zero-day and emerging threats.
- Limited scope: Most traditional anti-malware defenses are confined to a particular type of asset or network layer. For example, anti-virus software will usually only protect the endpoint, but will not prevent lateral expansion within the network; email malware scanners will protect against infection by phishing emails, but will not detect other methods of entry; and so on.
- Inline deployment: Many defenses, such as malware scanners, secure web gateways, next-generation firewalls (NGFW) and others are deployed inline, meaning that for every inspected sample, they must make an immediate, real-time decision of whether to allow or block it. This leaves very little time for deep analysis of the file contents or traffic patterns. Such defenses are careful not to cause interruption to business communications, so unless it conforms to any known signature or pattern, by default it will usually be allowed through.
- Lack of context: Finally, many anti-malware mechanisms suffer from lack of context, both of data and time. Most defenses do not have visibility beyond themselves to what is happening in other defenses, what is happening in other organizations, and how threats develop over time. As a result, they lack context to understand how a particular malware sample might tie into other threats seen by other organizations, or how a sample that it is examining now might relate to a different one that it saw months before. This lack of width and breadth of data and time is a severe limitation on the effectiveness of traditional anti-malware in detecting and blocking new malware.
A New Approach for Blocking Evasive Malware
Radware launched a new Cloud Malware Protection Service, which is specifically designed to protect organizations against data-stealing evasive malwares.
Radware’s approach is based on traffic analysis of network browsing data, in order to identify communication anomalies indicative of zero-day and evasive malware. This approach allows Radware to see through evasion techniques that commonly evade traditional defenses. Read more about how modern malware evades existing defenses, and how you can overcome them, with our new paper: 5 Ways Modern Malware Defeats Your Defenses… And What You Can Do About It.