In the past decade, the security industry has seen a constant rise in the volume of malware and attacks associated with them. Malware are constantly evolving to become more complex and sophisticated. For example,
- Unique malware samples broke the 75 million mark in 2011 – Network World
- 500 malware networks available to launch attacks – InformationWeek
- Malware authors expand use of domain generation algorithms – Computerworld
- Zeus/Spyeye variant uses peer to peer network model – Infosecurity.com
- Anonymous promises regularly scheduled Friday attacks – Wired
This blog discusses the changing malware threat landscape, challenges faced by intrusion-prevention systems, and limitations with traditional signature-based detection. We also provide the vision of McAfee Labs regarding effective solutions to combat such advanced threats.
Changes to the Threat Landscape
In the last decade we have seen exponential growth in the number of Internet users worldwide. This expanding base provides a lucrative opportunity to criminal organizations to carry out illicit activities. Compared with earlier malware that primarily created nuisance attacks, today’s malware are much more focused on both their victims and goals. Today’s attacks are a major concern for enterprises and organizations. Not only do they risk the loss of intellectual property or data, but any disruption to business continuity can also severely hamper an organization’s productivity and reputation. Protecting networks with a wide variety of Internet-connected devices—desktops, laptops, smart phones, etc.—has become even more of a challenge.
Botnets are the most common form of malware used by cybercriminals to attack enterprises and government organizations worldwide. Botnets, networks of compromised “robot” machines (also known as zombies) under the control of a single botmaster, carry out malicious activities such as distributed denial of service (DDoS) attacks on servers, steal confidential information, install malicious code, and send spam emails. Recent examples are Operation Aurora, ShadyRAT, and DDoS attacks on payment websites in support of WikiLeaks.
Advanced persistent threats, on the other hand, focus on specific targets, such as government organizations, with motives ranging from espionage to disrupting a nation’s core networks, including nuclear, power, and financial infrastructure. Due to the discrete nature of the attacks, these can remain undetected for a long time. Such attacks are also much more complex and sophisticated compared with other malware. For example, Stuxnet targeted Iranian nuclear facilities and Flame targeted cyberespionage in Middle Eastern countries.
Looking at the significance of intellectual property and national secrets as well as the vast potential of monetary rewards gained through these advanced attacks and threats, more and more cybercriminals—often well funded by criminal organizations—are attracted to develop malware. Their authors implement various techniques to make the malware and associated communication channels stealthier to avoid detection by security products on host systems and on the network. For example, encrypting communications between host and control server, using decentralized network architecture to stay undetected and resilient, using domain and IP flux techniques to hide control servers, and obfuscating malicious payloads are some of the techniques widely used by malware these days.
Traditional Detection and Its Limits
A signature-based detection mechanism that looks for unique network patterns has been the traditional method employed by security vendors to provide protection against attacks.
This method, though effective for defending against known threats, has limits.
- It is reactive: To provide coverage, researchers need to monitor and analyze network traffic, and reverse-engineer the attack to provide accurate detection coverage
- It is static: Malicious network patterns observed in previous attacks can change frequently, thus making the existing signatures ineffective to detect new variants of old threats
- It cannot react to unknown (such as zero-day) attacks
- The scope of detection is limited to a single network session and cannot correlate events across multiple network sessions
These limitations severely cripple traditional signature-based detection in protecting against emerging threats.
To win the battle and keep customers protected against emerging threats in the future, security vendors must continue to innovate.
Based on the current challenges to and limitations of signature-based detection, McAfee Labs envisions a dynamic solution that can provide proactive protection against future threats.
Such a solution must:
- Provide a behavioral-based detection framework in addition to the traditional approach
- Be capable of integrating various behaviors of the malware/threat lifecycle
- Have the ability to correlate attacks across multiple network sessions to precisely detect a specific type of threat
- Have the ability to do event-based correlation across multiple network sessions to detect unknown malware/threats
Such a framework will primarily be targeted toward providing not only detection to known threats but also providing customers with early warnings of possible infections.
In subsequent blogs, we will talk more about the solution that McAfee Labs believes will be capable of combating malware and advanced persistent threats on our networks.
I would like to thank my colleagues Chong Xu and Ravi Balupari for their contributions to this blog.