As cyber attacks increase in frequency and complexity, organizations continue to invest in prevention-centric technologies to secure their network perimeter. However, prevention-centric technologies are less than prefect. They protect networks from known threats using a combination of security rules, signatures and reputation lists.
A critical component of today’s network perimeter security is the file-based sandbox. They were created to analyze suspicious files on isolated hosts – many with different operating systems – in a contained environment.
The file behavior analysis includes changes to registry keys, creating new processes, installing new services, creating or deleting files, installing a toolbar, modifying host files, and command-and-control (C&C) server communications.
It’s important to note that the file behavior analysis is performed in an isolated network and on an isolated and simulated host. The analysis does not fully capture all the network behaviors of a real infected host.
Results of the file analysis from the sandbox is a signature that identifies malicious files and blacklists that contain C&C servers contacted by the malware. Perimeter security devices use these signatures and blacklists to block known malicious files and C&C connections.
All new samples and variants of a malware go through this cycle of sandbox analysis. But malware creators are getting smarter and have designed malware that is aware of sandbox analysis. Some malware are equipped with tricks to evade sandbox detections. They also employ different methods to connect to the C&C server as a fallback option, such as HTTPS, Tor and P2P.
What happens to malware that slips past perimeter security defenses? What happens to an unknown malware?What happens to the file analysis that has captured only a part of the malware behavior, such as the initial communications to a C&C server or just one method of communication to a C&C server? This is where network behavior analytics systems come to the rescue.
A network behavior analytics system uses a combination of machine learning and data science to analyze network traffic and identify traffic that indicates active malware in a network.
This provides security analysts with visibility into nefarious network activity and uncovers the steps of an active cyber attack. Regardless of the malware type, the attackers’ mission is the same: Spy, spread, and steal from the network.
The network traffic from an infected host includes communications with C&C servers, malware updates, internal reconnaissance, and lateral movement such as malware propagation and abuse of stolen credentials, data accumulation and data exfiltration.
These activities can occur over the course of several weeks or months. They often blend well with benign network traffic, which makes it even more difficult to detect using signatures and reputation lists.
A network behavior analytics system gives IT security teams the network visibility they need to quickly respond to cyber threats. It can detect threats missed by perimeter security devices such as firewalls, sandboxes and IPS. Security information and event management (SIEM) can leverage data from network behavior analytics systems to quickly identify and respond to threats.
In today’s threat landscape, every day is a zero-day. Network security must be layered. Complementing perimeter security, sandboxes and SIEMs with a network behavior analytics system is required to quickly identify and respond to cyber threats. It’s time to think outside the sandbox.
Signatures are great at catching large-scale commodity threats. But to stop targeted attacks, you need to jump off the signature hamster wheel and lay in wait where attackers will inevitably show up – inside your network. Read more.