Malware Prevention Key to Countering Evasive Attack Techniques

Wednesday, June 28, 2017

Eddy Bobritsky


Security teams had an unpleasant wake-up call on May 12, as a malware attack dubbed WannaCry spread rapidly to hundreds of companies, holding hundreds of thousands of systems hostage by ransomware until it was slowed down by a young security researcher. Those who know their systems are vulnerable were reminded once again of the potential damage these worms can cause: inability to access files leads to downtime, lost productivity, and more.

Instead of running fire drills and wringing their hands, companies should look at what happened as an opportunity to reflect upon their endpoint security architecture and try to better understand the role of the various defense layers that comprise it. As the post-WannaCry reports shed light on what happened, it’s useful to discuss questions like: What controls could have dampened the worm’s propagation? What measures could have been effective at preventing the infection? How might these security controls work or fail in future, copycat variations of this attack?

A widespread malware attack that exploits a known Microsoft vulnerability should not surprise anyone who is paying attention. Ransomware incidents have spiked, with damage totals increasing from $325 million in 2015 to a projected $5 billion in 2017. The SANS Institute reports that malware programs capable of evading detection rose 2000% in one year (2014-2015). Evasive techniques enable malware to bypass firewalls, gateways, and sandbox discovery tools. Configuration techniques like extended sleep and fast flux are quite common. Legacy systems, third-party devices and loosely administered computers are among those hit hardest. It’s important to assess risk regularly: confirm that endpoint defenses across the enterprise are in place, functioning as expected, and integrated to reinforce each other. More emphasis should be placed on prevention as a primary defense; detection methods are an important back-up layer, but are not foolproof and often lead to delayed incident response.

The best methods for defending against WannaCry and similar incidents are not a mystery; basic best practices can be executed with free and commercial tools. In any given attack, some security components might fail. Consider potential scenarios and plan to mitigate the biggest risks. For example, backing up important data is an essential defense against ransomware attacks. The following measures help establish a resilient environment:

  • Segment the network and block unnecessary protocols. WannaCry attacked over the SMB protocol. Microsoft recommends not using this protocol, but if you still need to, be sure to block access from outside the organization.
  • Keep up with security patches. WannaCry exploited a Microsoft Windows vulnerability that has been available for some time. Some machines cannot be patched quickly enough, and sometimes can’t be patched at all. In this case, be sure to harden the unpatched machines.
  • Install and regularly update anti-malware software. From the beginning, AV vendors were successfully identifying WannaCry components as malicious.

Stealthy attack methods are designed to evade these baseline mechanisms, so you also need endpoint defenses that disarm viruses not recognized by AV. This forces malware authors to “pick their poison.” If they design malware with evasive capabilities, prevention-oriented approaches can simulate an environment of security tools, which paralyzes evasive malware and forces it to abort the attack before any damage is done.  If the attacker doesn’t implement stealthy techniques, baseline antivirus will block the specimen.

It appears that the WannaCry authors didn’t implement evasion techniques (e.g., sandbox avoidance and memory injection), but it is quite possible that future derivatives will. By combining a preventative malware-neutralizing approach with baseline antivirus solutions, organizations will be protected regardless of which method malware developers choose.

It can be difficult to defend legacy systems and services without impeding performance, violating vendor contracts, or inconveniencing business users. Attackers are well aware that systems missing patches are often also missing baseline antivirus and other endpoint defenses; the WannaCry worm was optimized to propagate rapidly through vulnerable machines.

Malware vaccination can help stabilize legacy technology and distributed systems. Any enterprise not yet using an anti-evasion solution can immunize themselves against fast-spreading worms with vaccination. New approaches that simulate infection markers are proving to be effective in real world scenarios. Centrally managing vaccination through simulated infection eases deployment while preserving forensics capabilities and overall performance.

Some defenses (e.g., infection markers and sandbox malware analysis) are too computationally intensive to be practical for universal or continuous deployment. Detection-based solutions aren’t foolproof and generate false positives and alerts that have to be prioritized. Prevention-based solutions that account for evasive techniques can be extended to every endpoint via low-footprint agents that neutralize malware before it ever executes itself.

We can’t stay in the malware arms race by building a tool for every trick malware creators conjure up. It’s critical that we develop broadly applicable methods that frustrate their efforts by turning those tricks into defensive weapons. Creative countermeasures like malware prevention leverage the evasive mechanisms built into viruses to shut them down before they can sneak in and wreak havoc.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Possibly Related Articles:
Viruses & Malware Enterprise Security Security Awareness
Ransomware Protection WannaCry Prevention
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked