Despite a tremendous investment in cyber security defenses, enterprises are still unable to safeguard themselves against rising threat of cyberattacks. According to a survey conducted by Ponemon Institute, a leading market research firm, 70% of organizations reported being victims of a successful cyber-attack in 2015.
The ineffectiveness of signature based defenses has resulted in a wave of security solutions in the category of automated malware analysis, wherein a suspicious file observed at the network boundary or an endpoint is automatically submitted to an isolated environment, called a sandbox. A sandbox detonates (executes) this file, analyzes its behavior and classifies the object as malicious or benign.
We believe that the current breed of sandbox solutions have taken only an initial step in transforming reverse-engineering skills to an automated solution. These solutions are only based on monitoring the interaction of malware with its “external” environment, primarily the operating system’s resources on the computer. On the other hand, manual analysis of a malware sample involves a deep “introspection” to understand and tackle ingenuous techniques employed by malware writers, to understand the malware’s “internal” code behavior. However manual analysis of malware is expensive and non-scalable. The lack of automated deep introspection of malware has left a huge blind spot in current solutions that is being readily exploited by malware writers to bypass these solutions. In addition, the lack of deep introspection of malware implies that such solutions classify a suspicious object primarily based on its external behavior, resulting in a flood of false alarms since external behavior is insufficient to conclusively determine maliciousness in many cases.
We have started SecondWrite with a vision to eliminate such blind spots in automated malware analysis and fulfill the original aim of this technology of employing reverse-engineering knowledge to automatically analyze and detect malware at scale. To solve this problem, we bring to bear our founding team’s ten years of research background in deep analysis of software and malware, and our patented technologies developed at SecondWrite and in our prior work at the University of Maryland, College Park.
With this vision, we are launching a beta version of our first product that is a unique combination of a sandbox and a deep introspection runtime code analyzer. Named the SecondWrite Malware Processing Engine (MPE), it aims to solve a growing problem of evasion faced by sandbox solutions. Evasive malware exploits blind spots in such solutions and avoids detection by altering and hiding its behavior while being monitored in a sandbox. It is a fundamental threat to automated sandbox solutions with more than 80% of modern malware being evasive in nature. Evasive malware employs a variety of techniques to avoid detection in a sandbox. These techniques include, but are not limited to: sleeping for some time or doing useless work until the sandbox times out; logic-bombs such as launching attacks only on specific dates; and launching attacks only on intended victim computers with a specific user-name. Cybercriminals are continuously developing new evasive strategies to avoid detections.
Other products handle evasions in a reactive manner by developing ad-hoc mechanisms to counter individual evasive techniques. Such reactive mechanisms are ineffective against targeted attacks or any new zero-day evasive method. As an example, the Carbanak malware in 2015-2016 resulted in a theft of $1 Billion from financial institutions worldwide. It employed a zero-day evasion and was able to defeat several automated malware analysis solutions.
Based on our patented technologies of program analysis, we have developed a proactive sandbox that would detect all types of evasive malware including previously unknown zero-day evasions and targeted malware. Employing our technology of deep introspection of a sample while being detonated inside a sandbox, it acts as a lie detector that analyzes all the code in the malware by using complete code exploration. This fundamental principle of complete code exploration is not tailored to any specific evasion and makes it much harder for cybercriminals to develop malware that avoids detection. SecondWrite’s sandbox with this technology detects at least 25% more malware than other sandboxes.
The SecondWrite Sandbox is presently available for beta evaluation. Please contact us, if you want to be included in the beta program. We are excited to embark of this journey of employing our university-developed research to solve real-world cybersecurity problems.