Oct 26 2021

Smarter Malware Creates the Need for Stronger Detection

New attack methods bypass standard sandboxes and other protections, but next-generation tools have promise.

The attackers keep on coming — and malware is their favorite way to get a foothold in agency networks. As their offensive playbook has evolved over the past 20 years, IT’s defensive tools have also evolved to keep up.

First-generation anti-malware — signature-based anti-virus — hit a wall more than a decade ago when malware authors figured out how to evade matching technology. Second-generation anti-malware added in sandbox technology, an approach designed to force malware to detonate in a controlled environment.

Sandboxes have their own limits, however, as analysis of the 2020 SolarWinds attack showed; to evade detection, the malware in that incident specifically checked to see if it was running in a sandbox.

This brings us to a new generation of anti-malware tools. Not everyone uses the same terminology, but from the technology point of view, this next generation of anti-malware has two defining characteristics: advanced malware detection and avoidance technologies on the endpoint, and management instrumentation that actively responds to remediate malware.

The action item for federal IT managers is to continuously evaluate their agency’s server and end-user (desktop, laptop and mobile device) anti-malware strategy and product mix. The goal is to ensure that end users and critical systems are getting the advantages of these new protection technologies for a constantly evolving threat environment.

This evaluation should focus on two main areas where anti-malware tools are changing rapidly: endpoint strategies and management strategies.

KEEP READING: Get complimentary resources from CDW on building an incident response plan.

Federal Agencies Can Turn to New Detection Technologies

Current best practice in anti-malware strategy incorporates two key technologies: improved detection and stronger isolation.

Improved detection strategies for anti-malware are difficult to examine directly because the marketing and white papers surrounding them contain more than the usual level of buzzwords. No one’s trying to hide anything — there really are new advanced detection technologies such as machine learning and artificial intelligence algorithms in some of these products.

The issue with these new detection technologies, however, is that they all depend on malware evolving slowly along a clear and familiar path. To put it another way, there’s a saying, “Generals are always preparing to fight the last war.”

Even with new adaptive tools for anti-malware, IT managers need to acknowledge that all the latest and greatest ML and AI checkers may not catch a radically different type of malware. That doesn’t mean that ML, AI and other new ideas won’t help, but federal IT managers should consider these as only one part of a strategic overhaul for anti-malware.

27%

The amount of ­government website traffic made up of ­malicious bots

Source: Imperva, “Bad Bot Report 2021: The Pandemic of the Internet,” April 2021

Stronger isolation, focused on the browser, is a complementary technique that many federal IT managers are using as part of their anti-malware strategies. This idea has its genesis in the virtual desktop infrastructure projects that have been so successful from a security point of view.

However, browser isolation isn’t the same as VDI: It’s really virtualization just for the browser. Because almost all end-user malware makes its initial touchdown via the web browser — a phishing link, a malware site, a compromised advertising server — isolating the web browser within a virtual environment delivers a hefty wall of protection. This isolation could be in a virtual environment on the desktop or laptop or even on a remote system running in the cloud.

Browser isolation has its drawbacks, though. It requires a very modern infrastructure with lots of internet bandwidth as well as plenty of computing power and memory on the end-user’s device. This means that browser isolation won’t work for every agency and in every computing environment. But as part of a next-generation anti-malware strategy, isolation delivers protection that detection tools cannot.

The Next-Gen Strategy for Threat Detection

Two decades of advances in intrusion prevention systems (IPS) and security information and event management (SIEM) tools have had a huge influence on anti-malware tool vendors.

An important part of many next-generation anti-malware tools is the incorporation of a highly customized SIEM, tightly focused on receiving information on malware from endpoints and other very specific sensors, and then taking action to remediate the malware.

Anti-malware vendors have settled on two acronyms to help describe this part of their next-generation strategy: EDR (endpoint detection and response) and XDR (extended detection and response).

Whether they call it EDR, XDR or something else, the key characteristic is the word “response”: A management engine somewhere, on the desktop or in the cloud, is receiving information from the anti-malware and using that information to formulate a response.

RELATED: How does EDR compare to Managed Detection and Response?

First- and second-generation desktop anti-malware usually had a single type of action: block the execution, acting directly on the malicious payload as it tried to execute. Next-generation tools keep that option but acknowledge that sometimes it may be too late to block initial infection.

However, if you know that something bad happened, many actions after the fact can minimize or eliminate the threat. Among them are deleting the offending software from disk or memory; modifying firewall, Domain Name System and network behaviors; dismounting network volumes; pushing rules to local host IPS software; and — worst case — raising an early alarm so that IT security teams can get ahead of the threat before it spreads.

Anti-malware tools that incorporate response technology add highly focused security capabilities designed to protect end-user and server systems against a broader range of threats, and they are more valuable in an agency environment where the same IT team is protecting many systems.

Response technology — sometimes sold on-premises and sometimes as a cloud-based Software as a Service — is very customized to the anti-malware mission and has proved effective at keeping users and sensitive data secure.

Standart/Getty Images (sandbox)