Intrusion deception: Making a case for middle ground in malware mitigation
Kyle Adams, chief software architect, Juniper Networks
As the Target and Neiman Marcus data breach stories continue to evolve, so too does the story of how to combat malware. Today, the industry is spending billions of dollars a year using signatures to try to stop attacks or post-mortem forensic analyses to try to learn how to prevent future attacks. Problem is, neither of these methods is really cutting it.
In order to stop malware, you need first to understand how many attacks work. Though not always, but certainly often enough, malware follows this path: It looks for vulnerabilities, infects a system, propagates to other network devices, finds wanted data, and, finally, executes and brings home that sensitive data. If malware can't complete this process, attackers won't be successful.
Right now, the industry's attention sits squarely in the wrong place. Instead of solely thinking about how to prevent the initial infection or spending countless dollars autopsying an exploit after the fact, there's an opportunity to rethink the problem—or process—and a solution that lies smack-dab in the middle. The key is focusing on ways to stop malware after the infection, but prior to a damaging data breach.
It's in this somewhat nebulous middle ground where intrusion deception could prove highly effective. While you can't reliably predict the signature of a virus, you can reliably assume that malware has to do something to be useful to attackers. So it becomes all about breaking that something. Intrusion deception has been designed to detect, delay, track, profile, frustrate, and break attackers. So why not put it to use detecting, deceiving, and forcing malware to reveal itself?
While there are several ways to detect malware through deception, two promising examples involve sure-fire fake outs.
On the endpoint, malware will either be looking out for ways to avoid anti-virus processes that are running or, if it's of the aggressive variety, the malware will actually head straight for anti-virus software in order to try to kill it. So how about creating an emulation of fake anti-virus software? The basic idea is to spawn processes that have similar profiles to anti-virus processes. The malware won't be able to discern these processes are fake (and probably wouldn't expect this either), so when it blindly kills them off, it will immediately reveal that the machine is infected. Under normal conditions, a process wouldn't be killed until the OS shuts down.
On the network side, malware is on the hunt for data. So again, why don't we create fake files? This could be fake sensitive targets such as password files, infectable binaries, user files, etc. Because they are fake, they shouldn't ever be touched or accessed by a real user. Malware, on the other hand, doesn't know what's real and what's not. So it goes after everything on the network. And if it were to touch a fake asset, it would, again, reveal itself. It's a way to detect malware that anti-virus engines would never see.
Detecting malware is a great start, but it's still only half the challenge. The more interesting problem of how to stop it persists. To do that involves connecting a lot of dots.
Current advanced malware solutions on the market have no visibility into the internal networking flows because they don't own the switching fabric. They can tell customers about suspected devices, but they still can't stop attacks and, ultimately, toss the problem back over to customers to solve.
An anti-malware system that integrates firewalls and switching fabric would be able to reveal and stop malware even at the endpoint. The key is combining and automating the ability to see malicious activity at the endpoint, the internal network, and the network perimeter.
For its part in the bigger security picture, intrusion deception has a significant role to play. Not only could it be used to bring malware out of the shadows to reveal itself, but by increasing the time, effort, and opportunity costs associated with attacks, it changes the very economics of hacking and encourages hackers to give up and go elsewhere.With this middle ground solution, hackers will be the only ones who'll need to compromise their positions.