The need for advanced technology in cybersecurity

ESET Software Australia

By Nick FitzGerald, Senior Research Fellow, ESET
Monday, 17 June, 2019

The need for advanced technology in cybersecurity

As cybercriminals continue to ramp up their attacks, traditional security tools are no longer up to the task of protecting organisations. It’s no longer a matter of ‘if’ an organisation is attacked, but rather ‘when’ — without adequate security measures in place, almost every business is likely to become a victim of a successful cyber attack.

The ramifications of cyber attacks can range from mild inconvenience to catastrophic downtime. The importance of having a strong security posture can’t be overstated, and most business leaders and IT managers are well aware of this. Unfortunately, this has led to a proliferation of vendors claiming to provide innovative solutions and dismissing established vendors as irrelevant, despite often building their own solutions on technology developed by established vendors.

However, given the rapid evolution of threats since these technologies were initially developed, it’s important for today’s solutions to go well beyond the technology of the 1990s. Antivirus, once the mainstay of IT security, is not sufficient to protect against sophisticated threats. Therefore, IT security professionals need to understand the threat landscape and the advanced technologies that can help combat cyber attackers.

Attackers are currently exploring ways to use different platforms and processes to compromise their targets. Anything that runs executable code to process external data can potentially be hijacked by malicious data. This means Linux servers, Macs and even mobile phones are all increasingly popular targets for cybercriminals. Attacks on routers are becoming a serious threat and virtualisation, the Internet of Things and even web browsers are adding to this complexity.

The attack vectors have also evolved and there are myriad ways for attackers to distribute their malware. They can attack via attachments or links in emails; downloads from web pages; scripts in documents; removable devices like USBs; or by taking advantage of poor authorisation and weak passwords. Attackers can leverage exploits or use social engineering techniques to trick end users into installing malware.

Cybercriminals invest serious time and money into developing malware and ensuring they won’t get caught. The sophistication of these techniques makes them increasingly difficult to detect. Thousands of variants of the same malware can make it even more difficult to combat effectively, and attackers often use clean software components or certificates stolen from legitimate companies so that their illegitimate code is harder to spot.

Decentralised control of botnets using peer-to-peer networking is commonly used, and encrypted communication makes it harder to identify attacks. Domain generation algorithms reduce the effectiveness of detection based on blocking known URLs. Attackers also take control of legitimate websites that have good reputations, and even legitimate advertising services are used to serve up malicious content.

With so much danger lurking in every corner of the digital environment, it’s essential to have the right security tools in place to protect businesses.

The right tools must be based on a state-of-the-art scanning engine that is constantly being developed to cover modern threats. The scanning engine identifies possible malware and makes automated decisions about how likely the inspected code is to be malicious.

The scanning engine can’t be based on manually crafted assembly code. Instead, it should use binary translation together with interpreted emulation. This approach is many times faster than older approaches and lets users analyse hundreds of different file formats to accurately detect embedded malicious components.

A multilayered, real-time solution is required to assure the highest level of security. This must include solutions that can detect threats at different points during their life cycles in the system.

For example, security tools should include a dedicated layer that protects the unified extensible firmware interface (UEFI). This layer checks and enforces the security of the pre-boot environment and can detect malicious components in the firmware and report them to the user. Given the control and stealth options a UEFI compromise provides an attacker, it’s essential to protect it with a dedicated approach.

DNA detections are complex definitions of malicious behaviour and malware characteristics. These are based on collections of behaviours rather than pattern matching, performing deep analysis of code and extracting the ‘genes’ that are responsible for its behaviour. This provides far more information than indicators of compromise used by many so-called ‘next gen’ solutions. In fact, a single, well-crafted DNA behavioural description can detect tens of thousands of related malware variants including new, previously unknown variants.

Solutions should use machine learning that combines the power of neural networks (such as deep learning and long short-term memory) with classification algorithms to generate a consolidated output and correctly label new files as clean, potentially unwanted or malicious. Machine learning should be fine-tuned to cooperate with other protective technologies to offer the best detection rates and the lowest number of false positives.

Blacklisting using hashing can work well for files and URLs. Solutions should take fuzzy hashing to the next level by not performing hashing of data but hashing of the behaviour described in DNA detections. This can help block thousands of different variants of malware instantly.

A cloud-based malware protection system collects samples and subjects them to automatic sandboxing and behavioural analysis, which results in the creation of automated detections if malicious characteristics are confirmed. The solution should alert users to these detections without having to wait for a regular update, and provide instant blacklisting.

Multilayered solutions should also include exploit blockers (especially at the network level), ransomware shields, botnet trackers and protection, and threat intelligence. The right solution will help users move to proactive protection instead of reactive mitigation. This will dramatically reduce the risk of being successfully targeted by cybercriminals, letting companies operate with confidence.

While there is no silver bullet for security, it’s essential to remain flexible and proactive. Solutions should be based on intelligence (gathered over many years by experienced researchers) with different layers of protection to strike at different stages of the cybersecurity kill chain.

Image credit: © Nivens

Related Articles

Cyber attacks a "call to arms"

Experts warn that the major cyber attack targeting Australian governments and businesses...

NSW, AustCyber create cyber task force

The NSW Government, AustCyber and Standards Australia have created a new task force aimed at...

NSW announces new cybersecurity centre in Bathurst

The Cyber Security Vulnerability Management Centre will provide ongoing and automated...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd