The security industry’s reliance on cloud-based analysis of detected threats may have helped it build a level of malware defence, but those concerned about being penetrated by below-the-radar advanced persistent threats (APT) may want to take matters into their own hands, ThreatTrack director for enterprise security Nicholas Keuning has suggested.
Presenting at the AusCERT 2013 security conference, Keuning demonstrated the use of a sandboxing technique in which he was able to analyse the behaviour of a contained APT, figuring out its likely avenue of attack and a strategy for remediating it.
“Within about five minutes I was able to understand this complex sample well enough to not only understand that it’s bad, but to have the information to block, alert and remediate it in my network,” he told CSO Australia.
The ThreatAnalyzer sandbox technology, which offers functionality normally part of a forensic toolbox used by malware investigators, has been bundled into a more end user-accessible format and made available to end users for analysis of suspected APTs and other threats.
Combined with cloud-based antivirus scanning capabilities that isolate incoming email attachments and Web threats, Keuning said the Malware Determination Engine built into ThreatAnalyzer offered companies “basically a miniature antivirus company running in the corner, but specific to their organisation”.
“When we set up the box, what we’re really selling you is a threat analyser with higher level reporting functionality,” he explained.
“Almost any attribute can be good or bad, but it’s the combination that becomes really important when it comes to behaviour analysis. There’s no one behaviour where you can say ‘this is malicious’, but the more metadata we can generate, the more information we have to create those combinations of good and bad.”
Inviting APTs into the company for analysis may make sense for some who feel confident in sandboxes’ ability to contain the threat, but many IT managers may be loathe to risk potential infection by taking on the role of APT wrangler. Asked whether this approach could backfire if APTs were written to detect the presence of the sandbox and work around it, Keuning was confident the technique would prove resilient.
“Any time you create a sandbox, you’re creating some detection capabilities,” he said. “There is some detection capability of virtual machines and there is no way around it, but our box has some capabilities to stop that from taking place” such as hiding information about the processors and other hardware.
Just as APT authors are continually refining their code, ThreatTrack is continually building new capabilities into its engine that help it keep up with new methods of attack. However, for companies concerned about the unknown behaviour of APTs and malicious code, sandboxing offers unprecedented visibility into what they can expect – and how they can unravel increasingly sneaky malware trying to worm its way into the organisation.
“We have been detecting these for a very long time, and there is always going to be a little bit of a cat and mouse game,” Keuning said. “But we want to be able to find this stuff, alert on it, protect and remediate it for you if it’s there. This is something we’ve been doing every day with antivirus – but the big difference is that these targeted APTs aren’t sent to 100,000 or 500,000 people; they’re sent to just one or two. Someone is purposely coming after you.”
Follow @CSO_Australia and sign up to the CSO Australia newsletter.