For years, security professionals have become increasingly aware of the limitations of signatures. And yet for all this awareness, the industry is still focused on making signatures faster instead of addressing the fundamental problem.
Threat feeds deliver signatures faster and faster and malware sandboxes generate new signatures for newly discovered malware. Nonetheless, attackers continue to evade them and are wining at an ever-increasing rate.
Spinning the hamster wheel ever faster is not the solution. To move forward we have to address the fundamental limitations of signatures, understand why they exist, and build a new model that makes detection of threats the primary concern.
Why signatures don’t work
Firewalls, intrusion prevention systems and other traditional in-line security defenses block threats as they cross the perimeter. Although they continue to provide value, they have a fundamental limitation – they have a very short window in which to detect a threat – often a just few milliseconds. As in-line networking devices, the impact on network performance is paramount and security must be performed as quickly as possible. Simply put, they don’t have time to think.
As a result, they rely on signatures to identify signs of a previously identified threat such as a known exploit, piece of malware, or known malicious IP or URL. That means that they can only recognize known threats that have been previously seen.
In their defense, signature-based solutions can be effective at protecting against large-scale, commodity threats with well-known indicators such botnets, automated crawlers and known exploits. It’s an important component, but signatures offer scant protection against the targeted attackers who make an effort to avoid detection.
Sophisticated attackers know this, so they’ve gotten quite clever at modifying their attacks to avoid simple triggers. Malware is easily modified or encrypted to ensure it does not match known signatures.
Additionally, attackers can easily use IP addresses or URLs that are trusted and not on any blacklists. And the most enterprising attackers can target zero-day vulnerabilities, which by nature have no signatures associated with them.
Unfortunately, the attackers who are willing to work a little harder are the ones who pose the greatest risk to an organization. These are the targeted attacks that lead to the theft of customer data, intellectual property, and trade secrets.
To stop these types of threats, our approach to detection must evolve. While signature-based security sacrifices intelligence for speed, new models of security are bringing intelligence back into network security to find threats that represent the highest risk.
Learn the actions of attackers, not their names
Attackers may be able to constantly morph their appearance, but they can’t change the fundamentals of what they need to do – spy, spread and steal from the victim’s network. These behaviors are fundamental to the success of an attack, and they are observable.
By focusing on attack behaviors instead of tactics, threats can be detected even as the attacker evolves. This requires a radically new approach to network security that understands the true purpose of network traffic without relying on signatures, reputation lists or blacklists.
When data science, machine learning and behavioral analysis are applied to network traffic, it’s possible to identify the fundamental actions of an attack. This approach tackles all phases of an attack, including command and control, botnet monetization, internal reconnaissance, lateral movement and data exfiltration.
This next wave of automated threat management can:
- Detect internal darknet scans and port scans as an attacker maps out the internal network and identifies available services on newly discovered hosts.
- Identify the behaviors common to Kerberos client attacks, such as stolen credentials or pass-the-hash, which are used to move laterally within the network.
- Reveal when a host uses automated replication to propagate similar payloads throughout the network, such as the MSI packages used to infect additional hosts.
- Reveal threats in SSL without decrypting traffic so attackers can no longer hide within legitimate communications.
- Detect the difference between URLs that are created exclusively for attackers vs. legitimate sites.
And that’s just the start of this innovation.
As security professionals, we push the rock uphill every day, only to have it roll back down every night. It’s time for a more cunning approach. One that lets you set up a strategic position at the top of the hill to monitor and automatically detect where attackers will eventually arrive. And then you can push the rock down on them.
Take a deeper dive into how Vectra does it by downloading the white paper, Automated threat management: No signature required.