The Challenge
[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.4.7″ background_color=”#242424″ border_radii=”off|5px|5px||”][et_pb_column type=”4_4″ _builder_version=”4.4.7″][et_pb_text _builder_version=”4.4.7″ text_font=”||||||||” text_text_color=”#ffffff” text_font_size=”20px” text_orientation=”center” custom_margin=”|17px||||” custom_padding=”|||17px||”]Attackers continuously advance their methods to design, create, and deliver malware. This results in an arms race with enterprises and cybersecurity industry who are likewise developing defenses.
[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.4.7″ background_color=”#242424″ locked=”off”][et_pb_column type=”4_4″ _builder_version=”4.4.7″][et_pb_text _builder_version=”4.4.7″ custom_padding=”|||17px||”]Malware writers use tailored evasive techniques to hide from attack detection tools, e.g.:
– Security Endpoint Tools – static analyzers operating at the host/server and PC/laptop level, like: A/V tools, IDSs, HIDs, debuggers, etc.
– Network Endpoint Tools – static analyzers operating at the network level, like: firewalls, NIDs, etc.
– Sandbox Tools – dynamic analyzers operating at the network level, like: denotation chambers, light sandboxes, sandboxes, etc.
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.4.7″][et_pb_row _builder_version=”4.4.7″][et_pb_column type=”4_4″ _builder_version=”4.4.7″][et_pb_accordion _builder_version=”4.4.7″ hover_enabled=”0″][et_pb_accordion_item title=”Malware Facts” _builder_version=”4.4.7″ hover_enabled=”0″ open=”off”]- Antivirus tools detect only 43% of attacks [Ponemon 2018]
- Zero-day malware can go undetected for 4-6 months. [Ponemon 2018]
- Zero-day attacks are increasing – 37% of malware attacks today. [Ponemon 2018]
- Over 66% is obfuscated [2019 Q4 Report by WatchGuard]
- Over 93% is polymorphic [2019 Threat Report by WebRoot]
- 78% of malware uses file packing to evade detection [2017 Annual Report by PandaLabs]
- Automated malware distribution accounts for 70%-80% of attacks [2019 Q4 Report by WatchGuard]
- 28% of security breaches involved malware [2020 Data Breach Investigations Report by Verizon]
- 86% of security breaches were financially motivated [2020 Data Breach Investigations Report by Verizon]
- 27% of malware incidents attributed to ransomware [2020 Data Breach Investigations Report by Verizon]
- A single ransomware incident costs $713,000 on average [Reported to CNBC by Kaspersky Lab]
- Total cost of an average malware attack is $2.6m [2019 Cost Of Cybercrime Study by Accenture]
- The March 2018 malware attack on Atlanta’s Payment Portal, with a variant of SamSam, resulted in:
– Atlanta paying $50,000 in ransom
– The City covering $2,267,328 in recovery costs
– Citizens unable pay their water bills
– Law enforcement writing reports by hand
– The City unable to take applications for employment [Jan 2020 CPO Magazine]
[/et_pb_accordion_item][et_pb_accordion_item title=”Evasive Techniques Against Static Analysis” _builder_version=”4.4.7″ open=”off”]
Malware writers use techniques to hide the malicious code from being scanned, thus avoiding and evading having its signature detected, including:
- Polymorphism: where the code in malware is slightly changed, so that it does not match the original code signature, so hash lookups are no longer found
- Control-Flow Obfuscation: where the malware is purposeful hidden by making the code unreadable to binary analysis tools
- Packing: where the code in the malware is encrypted to prevent its analysis
The malware checks some condition and does not execute the malicious code in those conditions, thus avoiding and evading detection by a sandbox, including:
- Sleeping/Hiding: where the malware sleeps or executes useless work until a sandbox times out
- Detecting User Input: where the malware seeks user input, often not provided by a sandbox
- Detecting A Sandbox: where the malware runs tests to determine if a sandbox is present
- Targeted Attacks: where the malware only attacks an intended victim computer identified by IP address, username, machine name, etc., so its attack remains hidden in a sandbox
- Timing Based Attacks: where the malware checks for a specific date or time, which is unlikely in the short sandbox run
Copyright 2020, SecondWrite, Inc. All rights preserved.
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]