Current Filter: Security>>>>>Opinion>

   

Combating malware with signatures could be compared with the police fingerprinting everyone. It sounds like a good idea, but, in the case of evolving malware, the fingerprint has the ability to change and it may be time to start looking at how the malware behaves, rather than how it looks. Security tools based on behaviour detection solve this problem.

Traditional malware tools compare the code in an application against a blacklist. However, behaviour-based tools analyse how the application interacts with the system to assess whether the application is benign or malicious by watching how an application behaves over a series of actions, such as: "Did it open up the registry?" That by itself isn't so bad. "Did it write to the registry?" By itself, that isn't necessarily bad. "Did it write to the run-once registry key?" That is bad.

However, the major challenge we face isn't whether malware protection should be signature or behaviour based; it’s trying to gain an understanding of the tactics attackers might use. We have an over-reliance on security tools that rely on historical knowledge - whether its signatures, tactics or URLs. For example, deep packet inspection generally uses a library or list of URLs known to be bad. Whitelisting technologies may depend on cloud-based lists of allowable functions, but this is reliant on prior knowledge, which is static and requires periodic updates. Tools that assess how a virus acts, rather than what the code looks like, are needed for a sustainable long-term anti-malware effort and if we don't include algorithm-based tools in our defence strategy, we are adopting a false sense of security.

Given the level of current and future malware sophistication, there is a need to take the protection of internal networks more seriously. We know that hardening networks with firewalls isn't enough, yet we continue to leave networks flat and unprotected inside the firewall. There has to be a greater recognition that the security of the internal network is just as important as perimeter management, by segmenting high-value assets away from heavily trafficked parts of the network and instituting more secure authentication and password management within the network, which should help to prevent the compromise of one network segment from spreading to others.

Segmentation doesn't have to be limited to the network, and we have seen a greater use of virtualisation and application sandboxing to provide a protective bubble against execution of malicious code. However, Sandboxing isn't foolproof. Attackers can find vulnerabilities in the sandbox's parent process or in the operating system itself. If the hacker can find a flaw in either one, and run an exploit that lets them tinker with sandbox settings, they can allow their malware to escape the sandbox and execute functions at the system level, rather than in the container.

There is a need to recognise that malware is a moving and growing threat, and no one defence mechanism will neutralise it and completely protect your business. A layered, integrated approach may be more effective: one that uses a range of defence methodologies to keep attackers at bay. This defence in depth approach is more likely to stand up to future malware, no matter where the hacker takes the technology. That's a key advantage, given that the scariest exploits are the ones we don't know about yet.