Three Strategies to Combat Anti-Analysis and Evasion Techniques

“What happens if our network is compromised?” is a question that security professionals have been asking for some time. But for a variety of reasons – ranging from network transformation efforts to more sophisticated attack methods – this question has now become, “how do we even know if our network has been compromised?” 

One reason for this is that as cybercriminals increasingly invest in new strategies designed to evade detection, there is little to no evidence that anything is amiss until after attackers have achieved their goals.

The Rise of Anti-Analysis Attack Strategies

Most of us are familiar with some of the more sophisticated security attack strategies being used to ensure attacks can be successful. They range from advanced strategies, such as using machine learning combined with metamorphic or polymorphic exploits that can learn from and adapt to network defenses, to malware that leverages tools already installed on the network. Fortunately, many of us have countermeasures in place that allow us to detect and effectively respond to such efforts.

As a result, cybercriminals are adopting new techniques to obscure their efforts and evade detection and analysis so they can complete their plans. Some examples of anti-analysis techniques include routines that enable malware to detect when it is running within a sandbox environment or even in a system emulator, functions for disabling security tools on an infected system, and the use of junk data to make disassembly harder. MITRE currently lists more than 60 anti-analysis and evasion techniques—some new and some old—that attackers employ to slip past defenses and remain undetected so they can achieve their aims uninterrupted.

This seems to be a trend with legs. Last quarter, several reports identified new malware with sophisticated defense-evasion techniques built into them that indicate rapid advances in this latest attack strategy. One of them, a downloader used to target financial organizations, not only includes sandbox detection but also a clever tool designed to determine if it is being run in an emulator. It also includes checks for mouse movement and debuggers to ensure it is only ever running in an actual production environment. This isn’t unique. At least two other downloaders were also reported in Q2 2019 as having similarly advanced evasion mechanisms, including location verification capabilities and sleep timers for delayed execution. 

Another growing trend is the use of “living off the land” techniques, where standard network tools are hijacked to perform malicious activities. PowerShell, for example, can be directly executed from memory, is easy to obfuscate, and is already trusted, enabling it to bypass whitelisting defenses. There are also a wide variety of free, readily available malicious tools for PowerShell such as PowerSploit, PowerShell Empire, and Nishang. Because tools such as PowerShell are already authorized, and many, perhaps inadvertently, have some degree of admin privileges, malicious behavior is often categorized as authorized.  

These and similar anti-analysis and other evasion tactics pose a severe challenge to enterprises and underscore the need for multilayered defenses that go beyond traditional signature and behavior-based threat detection.

Finding Malware That Doesn’t Want to be Found

Of course, using signature and behavioral-based security tools to detect threats remains a critical component of any security arsenal. These should also be augmented with things like advanced behavioral analytics to identify and correlate suspicious activities that, on their own, may not rise to the level of tripping a threat alarm.

But those strategies are decreasingly effective when operating against malware designed specifically to evade detection. Even worse, these challenges are being compounded by the rapid expansion of the network’s attack surface due to digital transformation efforts that not only broaden the network’s footprint but increasingly make it subject to the “weakest link in the chain” challenge. This includes issues arising from new cloud, WAN, mobility, and IoT strategies introducing their unique security risks, and far too often, having varying levels of security affixed to them.

However, there are powerful tools available to help you address the challenge of detecting security breaches that do not want to be found. They include:

1. Intent-Based Network Segmentation

Flat networks built on a ‘trusted’ model make it easy for cybercriminals who get inside the network to become part of the trusted environment, run in stealth mode, and then quickly spread threats across the network. And it’s extremely hard to detect and contain such activities as they move deeper into the network, resulting in cascading risks, the loss of valuable data, and resulting economic and brand damage.

Segmenting the network ensures that if a breach occurs, its impact is limited to a pre-determined set of resources. However, static segmentation efforts, such as using various combinations of micro, macro, and application segmentation techniques to secure data and digital assets don’t always easily adapt to the rapid rate of change that networks are undergoing. And as more exceptions are created to accommodate workflows, applications, and transactions traversing between network segments, the effectiveness of network segments is steadily reduced.

With intent-based segmentation, organizations can intelligently segment network and infrastructure assets regardless of their location, whether on-premises or on multiple clouds. Dynamic and granular access control is then established by continuously monitoring trust levels and automatically adapting security policies accordingly. High-performance, advanced security can then be more effectively used to isolate critical IT assets and apply granular monitoring to quickly detect and prevent threats using analytics and automation.

2. Deception Technology

Deception technology works by creating decoy network resources across the infrastructure that mimic legitimate assets. These decoys can be deployed in virtual or physical environments, and include generated traffic designed to trick cybercriminals into thinking they have discovered a way to steal credentials or escalate privileges. 

The reason they are so effective at detecting evasive malware is that traffic from legitimate devices either never travels to those deception lures, or if it does, it behaves in specific and predictable ways. Which means that once a trap is triggered, stealth devices are uncovered and countermeasures can immediately take place. Notifications are broadcast to a centralized deception server that records updates from the affected decoy, the related attack vectors used by the malware are recorded, and intent-based segmentation can automatically step in to isolate the compromised device – even if the malware on that device itself is never actually detected.

3. Integrated Security

Adding AI to sandbox solutions prevents excellent countermeasures to advanced evasion strategies, such as being able to detect malware that refuses to run inside a sandbox or emulator. However, once anti-analysis malware has been identified, security tools must be able to work in concert to share threat intelligence so they can be on the lookout for other incidents of the same behavior. 

Security applied at checkpoints between network segments, for example, needs to be able to lock down inspection and share updates in real-time. Other tools need to correlate efforts to trace the malware back to its origination point as well as plot devices along its data paths that may have also been compromised. This requires tools that have been deeply integrated into a single, cohesive security fabric that spans the entire distributed network, including the core physical network, public and private multi-clouds, WAN locations, and mobile and IoT devices. 

Your Network Can Outsmart Stealthy Attacks

The secret to detecting evasive malware is to limit its scope, get it to reveal itself, and then share that information across the entire network to raise the bar on detection and response. Intent-based segmentation, deception technology, and an integrated security fabric are essential tools in beating malware designed to avoid detection and analysis.

view counter

John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Previous Columns by John Maddison:

Tags: