10 Things To Test In Your Future NGFW: Protect Evasive and Never-Before-Seen Attacks

This post is part of a blog series where we dissect the ten things to test in your future next-generation firewall. These ten points will help ensure your next firewall matches the needs of your organization in its current and future states.

With the availability and growth of the cybercrime underground, any attacker, novice or advanced, can purchase plug-and-play threats designed to identify and avoid malware analysis environments. The ability to identify and protect against evasive malware is more crucial now than ever.

Why Should You Advocate and Test This Capability?

The SANS Institute has reported that use of malware programs capable of evading detection rose 2,000 percent between 2014 and 2015. Today, most modern malware leverages these advanced techniques, which can bypass traditional, common network security solutions to transport attacks or exploits through network security devices, firewalls and sandbox discovery tools. Although we can’t build individual tools to detect every piece of evasive malware, it’s critical to utilize systems that can identify evasive techniques and automatically counteract them.

Move Beyond the Status Quo

Fight Automation with Automation
Attackers often make slight modifications to malicious code, resulting in malware variants and/or polymorphic malware. Threat signatures that rely on specific variables, such as a hash, filename or URL, get one-to-one matches only against known threats. This “new” malware is considered unknown, as protections have only been created for the original malware, not its modified variant.

Rather than use signatures based on specific attributes, NGFWs should use content-based signatures to detect variants, polymorphic malware, or command-and-control activity. Content-based signatures detect patterns that allow them to identify known malware that has been modified. This results in signatures capable of automatically preventing tens of thousands of variants created from the same malware family, rather than trying to create signatures for individual variants.

Command-and-control threats can pose a challenge, with malware authors creating C2 communications that automatically change the DNS or URL. Automated signatures based on these artifacts quickly become outdated and ineffective. C2 signatures based instead on analysis of C2 outbound communication patterns are much more effective protections that can scale at machine speed when created automatically.

Validate with More Than One Analysis Method
More determined, skilled attackers will create entirely new threats with purely new code, the costliest method for attackers. Any such threat will be treated as an unknown and go undetected.

When an entirely unknown threat enters an organization, the clock begins ticking. Protections must be created and distributed across all security products more quickly than a threat can spread. This can be accomplished by automating various aspects of the analysis, including static analysis with machine learning, dynamic analysis and bare metal analysis.­­­­ Implementing automation results in accurate identification of threats, enables rapid prevention, improves efficiency, makes better use of the talent of your specialized staff, and improves your organization’s security posture.

Create Knowledge Gaps for Attackers
Purpose-built virtual analysis environments add challenges and costs for attackers as they work to avoid discovery. The targeted environment would require different techniques from those of other commonly known analysis environments, making it more likely for you to identify the threat.

Move Beyond Virtual Environments
There are a number of ways to counter threats built to evade analysis environments, and a modern, effective security platform should combine multiple techniques. For example, combining dynamic analysis in a sandbox environment with bare metal analysis has proven effective in countering malware that assesses the environment to determine if it is being analyzed. When employing bare metal analysis, if the file successfully evades virtual analysis, it can be steered to a real hardware environment for detonation and observation. The malicious activity of the file, which would otherwise have remained dormant in the virtual environment, will fully execute in the bare metal environment.

Prevent the Spread of an Attack, Share Threat Intelligence
Threat intelligence sharing allows organizations to benefit not only from their own intelligence but from that of other organizations globally. Should an organization identify an entirely new threat and share that information, other organizations in the sharing network would be able to identify and treat this new threat as “known.” This intelligence should come from multiple sources and be correlated and validated for necessary context, in addition to the creation and distribution of an actionable response, further contributing to rapid, automated prevention.

Recommended RFP Questions

• Does your cloud-based malware analysis system support multiple analysis techniques, including bare metal analysis for detecting evasive, sandbox-aware malware?
• Does your cloud-based malware analysis system use a custom-coded hypervisor to be effective against sandbox-aware malware?
• Does your malware analysis system, after analyzing malware, create threat prevention signatures, such as:
  • Content-based AV signatures to prevent known and unknown variants of malware
  • Pattern-based anti-spyware signatures to detect communications to known and unknown C2 infrastructure
• Does your cloud-based malware analysis system support malware analysis for file types of Windows, Android and macOS operating systems?

Learn more about the 10 things to test for in your future NGFW.