Malware is a key vector for data breaches. Research shows that 51% of data breaches include the usage of malware, whether for initial breach, expansion within the network or heisting data. Yet despite malware being a pivotal attack vector, companies are unable to defend against data-theft malware running wild in their network. In fact, some of the biggest and most well-publicized breaches ever were the result of undetected malware.
Why? Modern malware is built to evade traditional anti-malware defenses. Today’s malwares are sophisticated multi-vector attack weapons designed to elude detection using an array of evasion tools and camouflage techniques. In the game of chess between attackers and defenders, hackers constantly find new ways to stay one step ahead of existing defenses.
Here are five common evasion techniques used by modern malware and how they beat traditional anti-malware defenses.
Polymorphic malware: Many traditional anti-malware defenses operate using known malware signatures. Modern data-theft malware counteracts this by constantly morphing or shapeshifting. By making simple changes to the code, attackers can easily generate an entirely new binary signature for the file.
Shapeshifting, zero-day malware beats signature-based defenses such as anti-virus, email filtering, IPS/IDS, and sandboxing.
File-less malware: Many anti-malware tools focus on static files and operating-systems (OS) processes to detect malicious activity. However, an increasingly common technique by attackers is to use file-less malware which is executed in run-time memory only, leaves no footprint on the target host and is therefore transparent to file-based defenses.
File-less malware beats IPS/IDS, UEBA, anti-virus, and sandboxing.
Encrypted payloads: Some anti-malware defense use content scanning to block sensitive data leakage. Attackers get around this by encrypting communications between infected hosts and Command & Control (C&C) servers.
Encrypted payloads beat DLP, EDR, and secure web gateways (SWG).
Domain generation algorithm (DGA): Some anti-malware defenses include addresses of known C&C servers, and block communication with them. However, malwares with domain generation capabilities get around this by periodically modifying C&C address details and using previously unknown addresses.
Beats secure web gateways (SWG), EDR, and sandboxing.
Host spoofing: spoofs header information to obfuscate the true destination of the data, thereby bypassing defenses that target the addresses of known C&C servers.
Beats secure web gateways (SWG), IPS/IDS and sandboxing.
What Can You Do?
Beating zero-day evasive malware is not easy, but there are several key steps you can take to severely limit its impact:
Apply multi-layer defenses: Protecting your organization against evasive malware is not a one-and-done proposition. Rather, it is an ongoing effort that requires combining endpoint defenses (such as anti-virus software) with network-layer protection such as firewalls, secure web gateways and more. Only multi-layered protection ensures complete coverage.
Focus on zero-day malware: Zero-day malware accounts for up to 50% of malware currently in circulation. Zero-day malware frequently goes unrecognized by existing anti-malware defenses and is a major source of data loss. Anti-malware defense mechanisms that focus squarely on identifying and detecting zero-day malwares is a must have.
Implement traffic analysis: Data theft malware attacks take aim at the entire network to steal sensitive data. Although infection might originate from user endpoints, it is typically the aim of attackers to expand to network resources as well. As a result, it is important for an anti-malware solution to not just focus on one area of the network or resource type, but maintain a holistic view of the entire network and analyze what is happening.
Leverage big data: A key ingredient in detecting zero-day malware is the ability to collect data from a broad information base amassed over time. This allows defenders to detect malware activity on a global scale and correlate seemingly unrelated activities to track malware development and evolution.