Why Dwell Time Matters & What To Do About It

[et_pb_section fb_built=”1″ _builder_version=”3.22.4″][et_pb_row custom_padding=”0px|||||” custom_margin=”-60px|auto||auto||” _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_post_nav _builder_version=”3.22.4″][/et_pb_post_nav][et_pb_text _builder_version=”3.22.4″ text_font=”||||||||” text_font_size=”18px” min_height=”100px” custom_padding=”0px||0px|||”]

Introduction

At SecondWrite, we compared the detection results of the three evasive malware samples deemed malicious by our DeepViewTM cloud-based malware detector against other leading endpoint tools from Gartner’s magic quadrant. We measured over a thirty day period. The SHA256 hashes of these three difficult-to-classify samples are:

 

 

  1. 0cf65938c8bbf07edcb56b021ee3c2e9771c2408793b51b968c54d1579afaee6
  2. 832aeaf6c46aa20705930be6f4bff972435e8755332ce3674c6bdae0d302737d
  3. cdb35265366d862041830bd4eae02cc259ad841b146229dbab77cd59ff1fbdcc

 

We discovered that the file features extracted using our Forced Code Execution (FCE) and Automatic Sequence Detection (ASD) technologies enabled our malware classifier to detect these samples on day zero in about 5 minutes. We compared against 21 leading endpoint-based malware scanners. On average, SecondWrite’s Malware DeepViewTM detected these samples a full week before 46% of scanners tested. Six months later, 37% of the scanners tested still did not catch these samples.  

 

SecondWrite’s Malware DeepViewTM product can reduce malware the time it takes to detect malware (i.e. the dwell time) in an enterprise. It is important to reduce dwell time since not detecting malware within a few minutes of the infection can result in millions of dollars worth of loss to an organization. According to a report done by Aberdeen Group in 2017, the median detection time for data breaches was 38 days.

 

[/et_pb_text][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Untitled-presentation3.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_radii=”on|4px|4px|4px|4px” border_width_all=”4px”][/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.26.5″ text_font=”||||||||” text_font_size=”18px”]

For the complete malware analysis reports, the malware samples themselves, or the collected PCAP files, please contact us at info@secondwrite.com

Sample #1: Time- and Operating System-based Evasions 

 

This malware sample was designed to evade detection by terminating early if the current system time was different than some expected time. Early termination typically results in very few malicious behavioral indicators. Our Forced Code Execution (FCE) technology was able to defeat this time-based evasion and force the malware to continue its execution. 

    

The sample then checked for the presence of an operating system dependency that happened not to be in our sandbox. This again caused the sample to terminate early. As it is impossible for a sandbox to be simulate every possible execution environment, DeepViewTM realised that it had too few dynamic indicators to correctly determine maliciousness. DeepViewTM  then used its static feature-based ML model in conjunction with Automatic Sequence Detection (ASD) to declare this sample as malicious. Here is the corresponding evidence from our malware report: 

[/et_pb_text][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Untitled-presentation4.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_radii=”on|4px|4px|4px|4px” border_width_all=”4px” border_color_all=”#000000″][/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.22.4″ text_font=”||||||||” text_font_size=”18px”]

How did the rest of the industry do?

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Hash_-0cf65938c8…2.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_radii=”on|4px|4px|4px|4px” border_width_all=”4px”][/et_pb_image][et_pb_text _builder_version=”3.22.4″ text_font=”||||||||” text_font_size=”18px”]

On day zero, only three other scanners were able to identify this suspicious sample. Ten days later, no other detection tool had yet to join those first three. One month later, 16 other scanners were able to identify the sample correctly. 

 

In short, 61% of the scanners took at least ten days to catch this sample and 24% of the scanners never detected the sample even after six months. No wonder dwell time in a network can be so long!

 

Sample #2 – Forced Code Execution (FCE) to the Rescue!

The second sample also had a malware evasion that was defeated by our Forced Execution Technology (FCE) technology.  Our neural-networks and CNN based machine learning classifier then classified it as malicious on zero-day. Here is a snippet from the report showing the extra behavior detected by FCE. 

 

[/et_pb_text][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Untitled-presentation2.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_radii=”on|4px|4px|4px|4px” border_width_all=”4px”][/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.26.5″ text_font=”||||||||” text_font_size=”18px”]

And the rest of the industry?

[/et_pb_text][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Hash_-832aeaf6c4…2.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_radii=”on|4px|4px|4px|4px” border_width_all=”4px”][/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.22.4″ text_font=”||||||||” text_font_size=”18px”]

This sample had many more malicious behavioral indicators than the previous one, but it still took a while for most of the industry to catch it. It was declared malicious by two other scanners on day 0, five on day 5, seven on day 10, and eleven on day 30. 

 

In short, of the 11 scanners that would eventually flag this sample, only 45% caught it after five days. Of the scanners tested, 29% of them took more than ten days. Furthermore, 48% still had not detected this sample as malicious even after six months.

 

Sample #3 – Automatic Sequence Detection (ASD) for the Win!

 

This sample did not execute very far since it did not have the permissions it needed in our sandbox environment. However, even without executing the sample, our Automatic Sequence Detection (ASD) technology was able to recognize the instruction sequences as being closer to malicious samples than benign ones. Therefore, our ML declared this sample as malicious on day zero. Here is a snippet from our report that gives you this information. 

 

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Untitled-presentation5.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_width_all=”4px”][/et_pb_image][et_pb_text _builder_version=”3.26.5″ text_font=”||||||||” text_font_size=”18px”]

Everyone else?

[/et_pb_text][et_pb_image src=”https://www.secondwrite.com/wp-content/uploads/2019/08/Hash_-cdb3526536…2.png” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”3.26.5″ border_width_all=”4px”][/et_pb_image][et_pb_text _builder_version=”3.26.5″ text_font=”||||||||” text_font_size=”18px”]

From day 0 to day 5, only three other scanners discovered this sample. On day 10, twelve scanners found it and by day 30, the total number was thirteen. In short, 48% of scanners tested missed this sample in the first five days. Even six months later, 38% of the tools tested had yet to detect the samples as malicious. 

 

Conclusion

 

DeepViewTM is a malware processing engine that looks at a myriad of static and dynamic features when classifying the maliciousness of a sample. It is built on forward-looking technology based on strong theoretical knowledge of program analysis. This research pedigree is the backbone of our company. The results speak for themselves. 

 

Please contact us at info@secondwrite.com for the malware samples, PCAP files, or the full file reports. The reports contain the following sections: 

  1. Malware Score
  2. All Indicators of Compromise
  3. Static imports and strings 
  4. Static section information 
  5. Matched Yara patterns
  6. Detailed process graph
  7. Detailed APIs
  8. Files written, read, opened and copied
  9. Registry Keys opened, read and written
  10. Detailed Network information of all the IP addresses contacted. 
  11. Network Map 
  12. Detailed file information 

We offer 21 days free licenses to try out DeepView. You can sign-up for a free trial here

 

Proprietary DeepViewTM Technologies

 

  1. Forced Code Execution (FCE) – A technology leveraging patented binary rewriting to dynamically force the execution of all code paths within a program, exposing hidden behavior within a sample and defeating the evasive intent of the malware writer. 

 

  1. Automatic Sequence Detection (ASD) – A technology that uses deep machine learning to automatically identify program code patterns that are more frequently found in malicious programs than in benign programs and vice versa.

 

Appendix

 

Sample 1

SHA256:  0cf65938c8bbf07edcb56b021ee3c2e9771c2408793b51b968c54d1579afaee6

SHA1:  af830eff226222c080dee74b308a3d82f699dabf

MD5:  9dd09fd2fc3677e9ccaf36118937f9d7

 

Sample 2

SHA256:  832aeaf6c46aa20705930be6f4bff972435e8755332ce3674c6bdae0d302737d

SHA1:  2dc5fc7b367cbda8f66bbb80befa615b93b84ac2

MD5:  683cc162999da98c2f3763bddbc57e50

 

Sample 3

SHA256: cdb35265366d862041830bd4eae02cc259ad841b146229dbab77cd59ff1fbdcc

SHA1:  744a20933c8943580047ae86da0c4d226132db36

MD5:  7aa282e556a117edfbd8728af2378cb1

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.22.4″][/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_post_nav in_same_term=”on” _builder_version=”3.22.4″][/et_pb_post_nav][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”3.22.4″][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_team_member name=”Paul Talamo” position=”Chief Operating Officer” image_url=”https://www.secondwrite.com/wp-content/uploads/2019/02/Paul-2-2.jpg” _builder_version=”3.26.5″]Paul Talamo is an entrepreneur with twelve years of experience in the cyber security industry. He has been a founder or principal employee at three startups.[/et_pb_team_member][/et_pb_column][/et_pb_row][/et_pb_section]