Technologies present in modern cybersecurity and threat protection tools
Nowadays organizations are facing increasing volumes of advanced cyberattacks, with ransomware being most commonly mentioned in news and media. Significant rise of crypto ransomware represents a logical consequence of ever-increasing financial viability of such attacks and the fact that they are not focused on specific organizations, instead resorting to mass attack campaigns. Attackers are employing various techniques and using “advanced” attacks that involve repacking/rehashing malware to avoid pattern detection (though often resorting to known or slightly modified malware) and possible SSL-encrypted command and control (C&C) communication (“regular” domain SSL certificates have been available for free for some time now).
What about the pattern today?
The issue with standard pattern or file hash approach is primarily that files used in the attack are generated per campaign, and as such are not known to any manufacturer of AV solutions which could include them in its reputation databases. Distribution of reputation data following analysis and detection of malicious content is also not done in real-time, which makes it suitable for malware campaigns. However, what is undeniable is verification speed of such patterns, and since most of the malicious content has already been analyzed and is well-known, there is no sense in spending resources and time of modern technologies such as machine learning and sandboxing to re-analyze threats which are already known.
Layered security approach
Modern technologies undoubtedly have their place in the security landscape of today’s organizations. Especially when used for protection from new or – even worse – targeted attacks. Fastest and most accurate method for generating such knowledge or reputation data (either files, URLs, or IPs) is within the organization itself. Especially as some attacks may not reach various sensors outside the organization (security vendors), so we can avoid introducing new vulnerabilities and remove existing ones from the organization. This means that the attack area has not been altered. We use internal security devices (primarily sandboxing and machine learning) to automatically carry out analysis under identical conditions (organization’s OS, applications, complete environment), generate results and find potential suspicious objects.
The point is that traditional technologies still hold their value and specific order, due to conservation of resources and faster detection, in the overall security policy of the organization.
Modern technologies (sandboxing and machine learning)
In order to make sandboxing as streamlined as possible, having access to corporate OS images – with all corporate tools and software included – could be very beneficial. Additional advantage over sandbox evasion techniques can be provided by implementing an open source solution (e.g. Virtual Box) so that default virtual hardware settings can be changed, which makes it more difficult for malware to detect the sandbox environment. Additional advantage provided by the Trend Micro solution is the potential integration with various software of other vendors or scripting specific sandbox interactions.
Quantity of data used to “train” the tools is extremely important for the machine learning component. Trend Micro is among the pioneers of cloud data collection and analysis – with its Smart Protection Network it has collected large volumes of data for more than 10 years, making Trend Micro knowledge database for the machine learning component truly expansive. In addition, same technology is used to monitor behavior of files, not just their static features. Another specific advantage of using Trend Micro solutions stems from the significant number of large customers in the region, which means that false positive results from specific, regional content or sources are very rare.