Looking for Clues to Win the Malware War

With Cybercriminals Increasingly Able to Cover Their Tracks, Point-in-time Detection is No Longer Enough. Terry Greer-King Says We Need to Watch for the Trail of Clues it Leaves Behind.  

It used to be that the way to defeat malware was no more complicated than figuring out how it entered the network and where it went from there. Nowadays, it is important to understand that malware is more dynamic and three dimensional. It doesn’t just sit at a static point in time, waiting patiently to be detected. It exists as an interconnected ecosystem that is constantly on the move, making it difficult to uncover and destroy. In order to stand a chance, malware defense needs to be just as dynamic.

Businesses need to keep a constant watch on their networks in order to identify the trail of clues left behind by modern, advanced malware.  

Let Down by Point In Time

There have been many improvements made in threat detection in recent years. Organizations can now execute files in a sandbox, use reputation-based application whitelisting to distinguish acceptable applications from malicious ones, and put in place virtual emulation layers to obfuscate malware from users and operating systems. But these point-in-time methods have no impact on the potentially devastating follow-on activities of an attacker. Cybercriminals have the ability to cover their tracks over an extended period of time, which is why it is critical for a network to be continuously scrutinized.

Luckily, it’s possible to identify any potential Indicators of Compromise (IoCs) left behind over time. With the right security model, these clues can be woven together to identify and isolate malicious activity. This can be achieved through the combination of big data and a continuous approach to provide protection and visibility along the full attack continuum – from point of entry, through propagation and post-infection remediation.

This is important because it allows process-level telemetry data to be collected and analyzed continuously from the network and endpoint over a period of time. Much like a video surveillance system, this capability captures attacks as they happen, which is much more effective than event-driven data collection or scheduled scans for new data. Firms can observe all file activity on the endpoint, all communication to and from the endpoint and all processes of file creation and file execution on the endpoint.

After initial detection analysis, file retrospection continues to interrogate files with the latest detection capabilities and collective threat intelligence. This allows for an updated disposition to be rendered and further analysis to be conducted well beyond the initial point in time it was first seen. Communication retrospection continuously captures communication to and from an endpoint and the associated application and process that received the communication for added contextual data.

Process retrospection is similar to file retrospection in that it continuously captures and evaluates system processes over time. The collection of file, communication and process data is then intertwined into a chain of activity for analysis in real time, anytime it is needed. Data is examined for patterns of activity across detection events and static IoCs left behind by malware and exploits. A perfect example is a dropper that has slipped through initial detection. Events leading up to and after the behavioral IoC are also collected and available for additional forensic insight.

Bringing it Together

The technique for weaving the three different retrospection streams together, as they happen, captures the relationship dimension that is missing in two dimensional point-in-time technologies. This enables businesses to quickly understand the scale of an outbreak, head off compromises and break an attack chain. What’s even better is that even if the standard operating procedure is to re-image a device experiencing severe compromise, all the detection and telemetry data is still preserved. Containment can still be implemented to prevent any future compromise by attackers using the same infection gateway.

Ultimately, continuously monitoring for clues provides a robust outbreak control capability that includes surgical containment. This simply cannot be achieved through a point-in-time approach, which only provides a business with a list of facts that are tedious to make actionable for containment. The power of a continuous approach, along with a big data architecture, holds the key to mitigating risk and defeating malware. 


Terry Greer-King is the Director of Cyber Security at Cisco. His principal expertise is in increasing business through driving change and transforming organisations' Cyber Security environments. Through both direct engagement and utilising senior relationships with key System Integrators, Outsourcers and Service Providers he has lead business process changes which have helped customers rationalise their security and risk infrastructures.

He holds specific knowledge of the following technology environments; Hosted Services, Cloud Service Provision, Next Generation Firewalling, UTM, IPS, Management (SIEM), Application Control, BOT prevention, Endpoint Control and Software Defined Networking.


What’s Hot on Infosecurity Magazine?