By Michael Woodside, Principal Systems Engineer
“Hey Boss, John has another virus on his computer, I don’t know where he keeps getting these from, and how they keep getting past our current antivirus…”
Does this sound like your IT shop? Are you tired of chasing after the virus, always repairing the damage, but never getting ahead? Don’t you wish that there was something better, and more efficient that we could use to prevent this from happening? Well there is, but first let’s explain some basics such as how we have been identifying files and why legacy Anti-virus, which worked for so long, is no longer stopping the threats.
What Is a File Hash?
Imagine you ate a red fruit from the tree over there, it tastes sweet and delicious. Instead of describing the fruit in a detailed manner every time you discuss it, you give the fruit a specific name such as a “Red Delicious” apple. Then, from that moment forward you can use the name “Red Delicious” as a reference instead of the description. A file hash is the same idea for a computer. Instead of describing the contents of the 1’s and 0’s that make up the data, the computer uses a mathematical calculation to create a value given to a specific set of data. We call that Value the File Hash. But what’s the problem with using a file hash? Just like our fruit example, you change any piece of that description and it’s a completely new item. Perhaps it’s a yellowish green fruit now, and we call it a pear. If you change some of the contents of the data, then we get a new hash value.
Legacy Anti-Virus Use the File Hash to Identify Malicious Files…
Many modern-day systems are infected by harmful software known as malware. The problem is that traditional defense systems are not designed to catch quickly evolving malware and exploits that are seen in the wild. These files may mutate many times in a period like a real-life virus in the doctor’s office. Doctors call each version a different strain, and the same can be said of malicious software. Every time the virus mutates the hash can change and evade detection for a little while longer. One of the problems with using the Hash file method is that to catch a virus or malicious piece of software we must have been exposed to it before or it will spread, just like our immune system. We are only as strong as the database of known things to which we have been exposed. Is your legacy Anti-virus not living up to your expectations? Perhaps that is because Legacy anti-virus defenses were not designed to stop modern-day threats.
Stop Chasing the Virus…
When something new comes along that we have never seen, we have no knowledge and no resistance, therefore it runs uncontrolled and wreaks havoc on networks until someone can identify how to stop it. However, that comes with a cost as we are now forced with repairing the damage that has already been done. While to some that is a small price, imagine if you had to reload every computer in your environment from backups or from scratch because a new virus took control. What can be done to stop chasing the Virus and get ahead of the curve? It’s time we start looking for symptoms that appear before the infection.
Time to Treat the Symptoms
Now that we know why traditional Legacy Anti-virus isn’t effective against new viruses and malicious software, what can we do? We act as doctors and start by treating symptoms or identifiers of an exploitation technique. While new Malicious software appears daily, most if not all, use the same forms of techniques to infiltrate their targets and perform their programmed routine. Since we know these techniques, we can treat them before a full-blown infection or before the first execution phases of the software, thus stopping the malicious software from achieving its goals or spreading further.
Stopping One Symptom Can Prevent a Full-Blown Infection…
If we can stop just one of these steps then we can prevent the full execution of the software and flag that unknown file for review and diagnostics. Now we are changing the way we identify and classify files and malicious software. Instead of needing to see every file to prevent an attack, we can focus on the underlying symptoms and methods because the software needed to stop an infection can be smaller, more efficient and easier to manage. We no longer need a giant database of file hashes to check every file against. We can just place stops or roadblocks at each major technique.
But What Are These Symptoms or Techniques?
The symptoms or exploitation techniques that are normally used are split into three main categories; pre-exploit techniques, Kernel Exploit Techniques and traditional exploit techniques. There are quite a few known exploit techniques that have been used to gain control and exploit the targeted system, and as such most malicious software uses around seven or eight of these known techniques to successfully gain access to the targets. These symptoms can be obvious such as calling a new program, changing a setting on the computer, or as simple as saying “WHO AM I” or “what privileges do I have?”. For a list of some of the known technique exploit methods, please click here. Going back to the original question of this blog post- isn’t there something else out there that is more adept at catching this new breed of Malicious software? Yes, the answer is Palo Alto Traps a next Generation Endpoint Protection software that uses Exploit prevention and zero-day threat mitigation to stop the threat and prevent a full-blown infection.