Malware Detection Techniques – Why You Should Monitor Attack Campaigns

Posted by Lastline FEB 15, 2018 ON

By the end of 2017, 70% of organizations believed that their endpoint security risk had grown significantly over the last twelve months. At the same time, general faith in antivirus solutions and malware detection techniques had degraded. With quickly proliferating endpoints, multiple attack vectors, and networks of ever-increasing complexity, organizations are finding it all but impossible to monitor and mitigate individual security incidents. But there is a solution. By looking at attack campaigns rather than chasing down individual incidents, organizations can achieve a holistic, next-generation approach to network protection. This approach improves security effectiveness and security team productivity while reducing risk.

Chasing Individual Alerts = Road to Nowhere

Traditionally, malware detection techniques and mitigation solutions have tracked and reported individual point-in-time alerts. This leaves analysts to hunt down and mitigate each one, many of which turn out to be false positives. Eventually, this rush of isolated alerts becomes background noise to an analyst, causing analysts to prioritize some and ignore others. Though this leads to short-term efficiency, it also sets the analyst up for failure; eventually, a significant threat will find its way through.

More than 90% of cybersecurity professionals are concerned that hackers will be using AI in sophisticated, harder to detect cyberattacks. These are no longer single events, but instead complex, prolonged campaigns. Rather than simply scanning for vulnerable systems and attacking vulnerabilities once, criminal attackers are selecting targets and engaging them over time. Artificial intelligence is making it easier to wage long-term campaigns. Many attacks today are multi-faceted or a part of larger campaign strategies, and many of the malicious attacks that have occurred in recent years have taken down large numbers of businesses at once. All of this creates a type of “living” attack that happens over time rather than being comprised of a singular incident.

Painting a Picture of an Attack

During a riot, peace officers don’t concentrate on individual rioters. They need to look at how the crowd is behaving, where it needs to be controlled, and which areas of the crowd require the highest level of response. Organizations must approach security threats in a similar way; by looking at the behavior as a whole.

By looking comprehensively at all facets of an attack, you are:

More likely to identify sophisticated attacks . A sophisticated attack is not likely to look at only a single vulnerability. Instead, it will attempt multiple methods of gaining entry into a system. With the advent of the IoT and mobile devices, cyber attackers now have virtually limitless resources that they can use to attack a target. Machine learning and artificial intelligence further improve their chances of eventually finding a weakness. A holistic approach looks at the entirety of the network and can identify and correlate behaviors and activities that are part of a multi-faceted attack.

. A sophisticated attack is not likely to look at only a single vulnerability. Instead, it will attempt multiple methods of gaining entry into a system. With the advent of the IoT and mobile devices, cyber attackers now have virtually limitless resources that they can use to attack a target. Machine learning and artificial intelligence further improve their chances of eventually finding a weakness. A holistic approach looks at the entirety of the network and can identify and correlate behaviors and activities that are part of a multi-faceted attack. Able to decrease time-to-detection . Rather than having to chase down individual alerts, analysts will be able to see the whole picture of system security — elevating visibility into high-risk threats that are hard to detect and fully piece together when investigating individual alerts. Decreased time to detection means that the company may be able to reduce damages even if it is successfully penetrated, as well as increasing the chances that penetration itself can be mitigated. Analysts can then escalate incidents and implementing blocking and mitigation efforts in a more proactive manner.

. Rather than having to chase down individual alerts, analysts will be able to see the whole picture of system security — elevating visibility into high-risk threats that are hard to detect and fully piece together when investigating individual alerts. Decreased time to detection means that the company may be able to reduce damages even if it is successfully penetrated, as well as increasing the chances that penetration itself can be mitigated. Analysts can then escalate incidents and implementing blocking and mitigation efforts in a more proactive manner. Able to improve time-to-mitigation . Analysts will be chasing down fewer false starts, and consequently will be able to focus their resources on a singular attack incident. By reducing time-to-mitigation and time-to-detection, businesses will reduce their IT costs. Organizations will be able to spend this money on additional IT security, including upgrades to systems and better security solutions. IT professionals will be able to focus on improving other areas of the network and other revenue generating activities.

. Analysts will be chasing down fewer false starts, and consequently will be able to focus their resources on a singular attack incident. By reducing time-to-mitigation and time-to-detection, businesses will reduce their IT costs. Organizations will be able to spend this money on additional IT security, including upgrades to systems and better security solutions. IT professionals will be able to focus on improving other areas of the network and other revenue generating activities. Increasing analyst productivity and efficiency. Investigating a single incident, even if it is comprised multiple related alerts, is much easier and far less time-consuming than trying to piece together individual alerts. This allows your analysts to be more productive.

On average, it takes 46 days to detect and resolve a cyberattack, at a cost of $21,155 per day. Organizations can substantially reduce their costs by reducing the amount of time it takes to detect and mitigate threats.

Connecting the Dots

Seeing separate alerts as pieces of a larger attack ultimately comes down to your analysts. They need to know how to look at the data and ultimately see the forest for the trees. When examining a potential attack and piecing together individual alerts into an incident, it’s essential to use a combination of deterministic-based correlations and probabilistic algorithms.

Deterministic items include any logical inferences and relationships that can be made based on known data. For example, if you know that a particular strain of malware wants to first connect for command and control and then download additional malware, when those specific activities are detected it’s evident that they are part of the same attack.

Probabilistic items naturally refer to probabilities: what are the chances of an alert or multiple alerts meaning X. For example, if a number of events happen within a short amount of time, it is highly probable that they are connected.

Of course, your analysts can’t do all of the heavy lifting. Identifying separate alerts as being part of a larger whole also requires technology that can help your analysts to “connect the dots.”

Thankfully, there are solutions that can map complex attacks in real-time, giving analysts all the information they need to identify multi-faceted incidents and respond to threats before they become dangerous to an organization.

Through advanced cybersecurity solutions, businesses can focus their efforts on the threats that are most substantial to them, rather than wasting time chasing down each alert. As networks become more complex and additional endpoints are added, this type of all-in-one cybersecurity solution becomes even more critical.

By looking at an attack as a whole and applying both deterministic and probabilistic analysis, Lastline Breach Defender is not only able to identify threat incidents quickly and correlate all activity and alerts generated by a particular attack, but additionally is able to determine the overall scope of the attack, enabling fast and efficient remediation. As a holistic system containing malware analysis, threat analysis, and network analysis, Lastline Breach Defender can cover all aspects of network traffic analysis and response. Learn more about Lastline Breach Defender.