Two misunderstandings about advanced malware

Advanced malware is the latest and most potentially destructive threat in the online world. They are confidential, targeted, and extremely patient ". Although some well-known malware usually carry signatures that are easy to identify, they can always escape the defense of general recognition modes through constant changes. In addition, they usually focus on specific goals and "carefully" before achieving the goal, to minimize "Traces" on the network ". It can be said that advanced malware has been active for a long time before it is detected and eliminated. At the same time, these software has caused significant damage to systems and organizations during the period of undiscovered.

Traditional network security solutions are no longer fully effective when developing advanced malware. The overall solution based on the "signature" method is efficient and accurate for capturing known malware, but these methods alone are obviously insufficient to fully protect the organization or organization.

So how should we deal with such advanced malware? I would like to talk about the two common misunderstandings about advanced malware solutions, and then analyze what is the most effective method.

Misunderstanding 1: How to identify advanced malware

As we have analyzed the features of advanced malware, traditional solutions cannot meet our needs, so we need to find another path. Currently, a common method to respond to such threats is behavior-based technology called sandbox technology.

Sandbox is a powerful offline search tool that isolates unknown or suspicious files in a virtual environment, allowing them to fully perform in it, as if they have reached their targets; the built-in devices in the sandbox monitor the "every action" of files ". If a virus is suspected to be threatening, it cannot generate a real threat in an isolated virtual environment. Sandbox technology creates a relatively secure environment for testing suspicious files. In addition, because sandbox does not need to know the file situation before analysis, that is, there is no need to "sign", it is a powerful technology to identify advanced malware.

However, Sandbox also has its limitations. For example, many sandbox technologies can only run on the general version of the specified operating system, not the real image of the customer's actual operating environment. This may lead to incorrect assumptions about suspicious file behavior. This limitation limits their ability to capture advanced threats to some extent.

However, this behavior-based method is still very effective in identifying a large number of advanced threats, so the market is enthusiastic about this technology. However, this enthusiastic response generates a common rumor that the main problem of advanced malware is how to identify it.

In fact, identifying advanced malware is very important, but the real challenge is how to deal with advanced malware, block and fix the damage it causes.

Sandbox technology is a function, not a product. Identifying advanced malware is only one step, not a solution. Although traditional solutions do not often recognize advanced malware, they provide excellent protection capabilities. The restriction of sandbox is that it can only identify threats, but cannot block and fix them. Therefore, in order to truly resist advanced malware, the Sandbox must be equipped with tools to prevent threats and repair the damage they cause. Without these additional features, the security industry only solves the problem and leaves most of the work to the customer.

Misunderstanding 2: Sandbox can isolate malware

Malicious Software analysis is often complex and time-consuming, so sandbox is not a real-time technology. In fact, most sandboxes can only analyze duplicate files, while the original files are sent to the destination. Therefore, even if a suspicious file is found to be malicious, the actual file has already reached the destination and caused damage.

In this regard, the sandbox can only find that the suspicious file is malicious, but it cannot really stop it.

In addition, Sandbox usually enters the environment slowly from one entry point, and it does not even notice that there may be other advanced malware slipping into other entry points. But truly secure technologies must be able to identify and block malware that can slide into any entry point without the help of additional software.

So how can we improve the security level? We need to set monitoring at each entry point and adopt some techniques to prevent blacklisted files. If the sandbox solution has some additional file shielding functions and assumes these functions are mature, there will be two options: you can deploy this technology at each entry point, which requires high fees. Or you can use a solution, perform centralized Analysis on suspicious files found by existing security products at these endpoints.

Obviously, the second method can reduce the cost more effectively and make the network control more strict.

All in all, unlike traditional defense systems that analyze and block malware in real time, Sandbox cannot operate in real time. To effectively respond to advanced threats, Sandbox must be deployed as part of a highly integrated or integrated security environment: it can process multiple endpoints and send information back to the operating environment, alert to detect new malware and prevent and fix the damage before detection.

(The author is McAfee's global Chief Technology Officer)