Thus far in our series we have reviewed a sophisticated ransomware utilizing stealth and lateral movement techniques, an infamous case of wiperware masquerading as ransomware spread by hacked nation-state tools and an ever-changing swiss army knife which exists as a tool run by one criminal organization offering services to many.
Today, in 2019, the myths surrounding “proper” security controls persist. That these persist in the minds of business and government leaders as well as network security professionals who advise them has had dire consequences:
According to Cybersecurity Ventures, the global cost of cybercrime was $3T in 2015 and is expected to rise to $6T annually by 2021. Ramsomware alone accounted for 11.5 billion in 2018.
And, the issue is getting worse, not better:
In 2018 the number of malicious groups of hackers producing malware increased by 25%. In 2017 there were 358,904 new malware (never before seen hashes, or fingerprints) created every single day, 131 million for the year. That is up from 122 million in 2016. There is and has been a tsunami of malcontent. For perspective, there were a total of 741 new viruses/worms on the Internet for the year in 2001.
For this week, let’s step back from malware analysis.
Let’s instead take a moment to understand why the current crop of tools is failing to stem this tide of malcontent. First, consider this concept;
When you think of your CPU, I want you to think of your home.
Why? Because the parallels between physical security and computer security are striking. Anyone who has ever been in the business of physical security can tell you default-allow policies are all wrong and will not protect your assets. None of us will allow any Tom, Dick or Harry into our home just because nobody else has ever seen them doing bad things. Yet, this is how your computer’s CPU operates. The very thing that controls every component on your computer and orchestrates all that you see, touch and hear on all computing devices allows EVERYTHING to execute, much like a home with no locks allows everyone to enter. This is by design. Modern so-called “endpoint security” will block executables that have been seen doing bad things, but they allow everything else. Really.
Got that? Let’s review the sort of industry information network management professionals, business leaders and government officials are hearing from vendors and security writers alike by reviewing a technical e-zine article discussing modern security products.
In February 2019, an article entitled “Why Next-Gen Antivirus Isn’t Enough For Your Enterprise”, the author, Ben Canner, correctly identified the term “Next-Gen Antivirus” as nothing more than confusing doublespeak that does not encompass what is really needed: Endpoint Security. Unfortunately the endpoint security described still relies on foreknowledge. So-called modern endpoint security still leaves your computer in default-allow mode. This is not secure.
Let’s dissect key ingredients in modern endpoint security, as noted in this article, to see why these alone cannot provide complete security:
Modern Endpoint Security Components
Machine Learning – This is analyses of what is normal in the environment. It is watching every network send and receive, every user action and cataloging the behaviour so as to recognize anomaly. It can alert you if Sally in accounting suddenly copies hundreds of files. It can tell you if your new hire with the perfect resume suddenly decides to upload 30GB of data to a cloud drive. This is very useful, but it cannot detect that which is designed to circumvent behavioral alarms. Human creativity cannot be predicted. Ingenuity trumps machine learning.
Endpoint detection and response – Did something abnormal occur? Take action such as endpoint disconnection and alert the network admins. This protection is based on foreknowledge. You cannot detect what you do not know.
Sandboxing – Sandboxing is a tactic of opening documents and executable files in an isolated environment to see what they do before allowing user access. Neat tool, but the bad guys have ways to detect if the malware is opening in a sandbox. They can instruct their payload to behave differently within. Human ingenuity already escapes the sandbox.
Vulnerability shielding – This component uses knowledge of known vulnerabilities to protect the computer in the interim between discovery of the vulnerability and patching of the flaw. We cannot know what we do not know, so this is not foolproof.
Behavioral analysis – What is the executable, script or other tool trying to do? Does this appear to be similar to something bad we’ve seen before? If apparently doing things we know are bad or suspicious, this will stop or prevent the execution. Noticing any patterns yet? We can’t know everything.
Application control – What is the application designed to do? We will make sure it does only that. This is necessary because if a program can be taken over through exploit of a flaw, that program may try to do things it normally should not. Think about Chrome or Internet Explorer as an example… these should never replace system files. Application control ensures they only browse the web for pictures of kittens being cute… and other important stuff of course. But mostly kittens. While important, this in no panacea. MS Word already has the right to write files, svchost.exe already has rights to make system changes and run services. We cannot predict what legitimate uses may in the future be used to perform malicious action because again: HUMAN CREATIVITY CANNOT BE PREDICTED.
Read them again if needed; These functions of modern endpoint security all rely on some level of foreknowledge, or previous experience. These all leave the computer open to the possibility of malware that has never been seen before, using tactics never before attempted, issuing commands in a paced fashion so as to not set off activity alarms; these can get through to your home; They can be executed by your CPU. Only after a system has been injured may the heuristics, signatures and behaviors be catalogued and added to a blocklist. Until then, these have full access to run on your computer. These modern endpoint security products are vaccines against known digital illness. All a hacker needs to do is trick someone into execution of malicious code which does not trigger their alarms. I remind you, 92% of all compromised systems can be traced back to such a trick. Humans are and will always be susceptible to trickery.
Execution Control changes posture from default-allow to default-deny. Use of Execution Control assures that only KNOWN GOOD software, drivers, scripts or dlls are allowed to run. It eliminates the ineffective (and impossible) yet perceived need to identify and block all malicious software. This is the number one recommended approach to securing digital assets from US-CERT, NIST and the governments of Canada and Australia.
White Cloud Security implements Execution Control with Trust Lockdown. We verify the executable file, script, driver or dll is a KNOWN GOOD entity before allowing execution.
Trust Lockdown STOPS Fully Undetectable (FUD) Malware. We stop unauthorized powershell and batch file execution.
We do this with our patented HandPrint Cyber-Metric identification methodology, ensuring identification cannot be faked. We are not a vaccine. We prevent unknown execution of scripts and software code, all of them.