This blog was written by Nat Smith.
Understanding the attack methods and techniques of bad guys provides valuable insights that can help you refine your security posture. This five-part blog series looks at attacks from a thief’s perspective and shows you how the latest security technologies can block them.
No Smoke. No Mirrors. No Misdirection: Evasive Thieves Attack with Houdini-like Prowess.
Cyber-thieves are getting crafty. These hacking invertebrates continually find creative ways to evade detection as they slither through the cracks in your security. Their advanced evasive techniques (AETs) challenge network security like never before, exploiting weaknesses at every level of the infrastructure.
Removing the Mystery from Evasive Malware Techniques
At McAfee we believe that by better understanding the way bad guys think and the techniques they use, you can improve your security posture and more effectively detect evasive activity. The thieves’ bag of dirty tricks grows by the day. Favorite techniques include payload parsing and reassembly, sandbox evasion, endpoint data exfiltration, and malware callback evasions. Many of today’s evasive attack techniques modify existing malware or use it in new ways to elude firewalls, sandboxes, gateways, and IPS detection. In fact, given the thousands of ways bad guys can change malicious payloads, along with the hundreds of potential delivery methods, it’s estimated that there are more than 800 million viable evasion combinations.
Illuminating Evasive Behavior
McAfee offers several innovative technologies that shed light on invisible, evasive threats. While signature-based, pattern-matching technologies still provide basic protection, a new class on intelligent technologies monitors code behavior and shares security insights in real time with other security devices to assess threat levels across multiple threat vectors and take decisive action in response to an attack. Here are several that help foil evasive network behavior:
- Continuous tracking and inspection of network sessions allows the complex patterns of AETs to be found and blocked. Combining network session tracking and data stream analysis at the firewall allows greater protecting against known and unknown evasion techniques, even when they are applied on multiple protocol levels.
- Static code analysis is a cutting-edge, non-signature observation engine that illuminates blind spots in dynamic code analysis. Static code analysis inspects latent file code to ensure the non-executing code in the sandbox is not malicious. It works in combination with dynamic analysis to foil advanced sandbox evasion techniques.
- Intelligent callback tracking allows covert botnet patterns to be learned and blocked. This industry-first technique applies algorithm tracking in order to reverse engineer URL connection patterns used for malware callbacks.
- Endpoint intelligence validates the use of trusted applications while helping to expose malicious rogue apps. This intelligent feature within the endpoint agent inventories all application processes on the endpoint, monitors application communications activities, and observes all outgoing connections made by executables. It then shares these insights with firewalls, IPSs and other security devices across the network.
Securing your network doesn’t have to be an illusion. Learn more about how thieves slip past security defenses using evasive techniques—and what you can do about it. Check out the new McAfee Tech Brief: A Thief’s Perspective on Evasive Attack Methods.