How do you outsmart malware?

The growth of data breaches in recent months and years is in large part because of the new generation of smart malware being developed on a daily basis. Malicious actors are constantly taking advantage of technological innovations and breakthroughs to devise new ways to flood the Internet with new malware that circumvent security tools, propagate within networks and siphon critical data for months without being discovered.

Traditional security tools and solutions are having a hard time protecting clients against the constantly changing landscape of security threats and malware. No matter how large, virus definition databases don’t seem to account for the growing number of new malware species and variants, especially when they’re smart enough to evade discovery. More devious genus of malware are succeeding at even duping advanced security tools that discover threats based on behavior analysis.

Sophisticated, multi-layered security solutions are predicated on having enterprise-level budgets and resources and their deployment isn’t possible for small businesses and individuals at home, which are no less victims of malware and cyberattacks.

At present, the question is: Will security solutions keep up with the growing trend of smart malware?

The answer to that question might lie in new approaches to cybersecurity that defy the long-established reactive paradigm, which is to try spotting malware based on previously known data. Scientists and cybersecurity firms are now developing and employing new techniques based on our understanding of the mentality behind malware development, and are helping block unknown malware by manipulating the conditions and targets it seeks.

This new shift in malware detection is helping tech firms develop solutions that are smart enough to detect and block unknown viruses while being lightweight and deployable in varying execution environments.

Moving target

Both antivirus and security solutions based on behavior analysis are reactive in nature and need previous knowledge regarding the attack or vulnerable system in order to provide adequate protection. This provides attackers with an exceptional opportunity to target systems through unknown vulnerabilities.

Cybercriminals depend largely on zero days and unpatched vulnerabilities in operating systems and installed software to gain a foothold in the target computer and stage their attacks. The Symantec 2016 Internet Security Threat Report proves that cybercriminals are getting much better at discovering zero-day vulnerabilities in software.

Reducing the attack surface requires a considerable effort on the defender’s part. All the patching and updating that go into making your system immune against known attacks can be for naught if you don’t take one of the actions in time. Even with your entire system up-to-date, you have no idea of the unknown vulnerabilities that are lurking outside or even inside your network.

Experts at cybersecurity tech firm Morphisec intend to tackle this issue with a concept they call Moving Target Defense, a technique that prevents malware from finding the sought vulnerability in the first place.

“The attacker has to be stopped at the first step, before gaining an initial foothold in the system,” says Mordechai Guri, Chief Science Officer at Morphisec.

Recycling malware is easy, developing new malware from scratch is extremely difficult.

The technology suggested by Morphisec achieves this goal by concealing vulnerabilities in applications and web browsers, through a polymorphic engine that randomly scrambles the memory surface of processes at run time, making them unpredictable and indecipherable to attackers and malware. In this manner, any zero-day loophole or unpatched vulnerability will be concealed from prying eyes. “Each time an application or browser is loaded in memory,” says Guri, “we randomly change its memory structure.”

The moving target concept is effectively turning the table against the attacker: Instead of having security solutions chase malware, it is now the malware that is futilely chasing its target vulnerabilities.

“Like this, nothing is known or predictable to the attacker anymore,” Guri explains. “The attacker fails right at the beginning during the exploitation phase and is stopped before having a chance to inject malware into the target system.”

The firm has embedded the Moving Target Defense idea into a lightweight 1 MB endpoint threat prevention solution called Protector, which currently runs on Windows-based workstations and servers.

Keeping the environment hostile for the malware

Some of the more advanced security solutions use a “sandbox,” an isolated and ultra-secure environment in which executables are launched and scrutinized for the manifestation of malicious behavior before being given access to system resources. This technique helps detect and block some of the stealthier malware without allowing them to deal any damage.

In response, malware developers have learned to develop new specimens that remain dormant and refrain from executing until released from the restricted confines of the sandbox, after which they activate their payload and wreak havoc on the target system.

Minerva Labs, a cybersecurity startup that came out of stealth in January, has presented a technique that dupes malware into thinking it is constantly in a hostile environment, thus convincing it to avoid unpacking and executing its malicious payload for fear of being detected and blocked.

Will security solutions keep up with the growing trend of smart malware?

Minerva achieves this by simulating the constant presence of different sophisticated cybersecurity tools, such as sandboxes and Intrusion Prevention Systems (IPS), trapping the malware in a situation that prevents it from knowing where it is. Not being able to differentiate between the simulated environment and real security environment that it tries to evade, the malware will continue to remain inactive, waiting for conditions that will never materialize.

Since the entire concept is based on deception and decoys, its implementation has been made possible through a passive endpoint protection tool with a low memory footprint, which integrates and complements other security solutions installed on user devices.

Predicting the future

The traditional process in dealing with malware is to discover the threat, register the signature and subsequently deliver a definition update to endpoint protection tools. For attackers, breaking through this loop is as easy as modifying the malware code and recompiling it to create a totally new threat that has to be reprocessed in the discovery, definition and update delivery cycle. This is what MIT Technology Review’s David Cowan compares to antibiotic-resistant bacteria, which adapt to our defenses and render them obsolete.

The Symantec paper discovered more than 430 million new and unique pieces of malware in 2015, a 36 percent growth in comparison to the previous year. That’s more than a million new pieces of malware written each day. However, what’s worth noting is that more than 90 percent of new malware are in fact modified variants of the old specimens, and even new, zero-day malware use elements and components of previous ones.

This proves that while recycling malware is easy, developing new malware from scratch is extremely difficult.

Cybersecurity startup CyActive took advantage of this fact to develop a solution that thwarts the plans of malware developers by preventing them from reusing previous code.

The solution uses a predictive engine that uses bio-inspired algorithms and a deep understanding or hacker behavior to automatically forecast how current malware will be manipulated and modified in the future. This way, hundreds of thousands of malware derivatives are predicted and fed into detector systems that anticipate and prevent future attacks on network and endpoint devices. The only option left to cybercriminals is to create new malware, which is a painful and lengthy process.

CyActive was acquired by PayPal in 2015 and is now using its security solution to secure PayPal networks and clients.

Fighting malware proactively

Malware are growing in number and sophistication. Our security solutions need to evolve in tandem in order to be able to respond to the threats of the future. Proactive tools and approaches can help complement and strengthen current security solutions. They can also fill a large part of the gap left by human error, which accounts for the success of a large number of security incidents. As long as we’re running behind malware, we’ll never be safe.