Beyond signatures

Cyber intrusions are continuing unabated with no end in sight, and the industry is split on what new methods are necessary to combat advanced threats. Certain factions claim that enhanced signature sharing should be the primary solution, while others believe that signatures are dead. The reality is that while signatures remain an important component of detection and prevention of well-known threats, they are inadequate to defend against modern advanced threats.

Signatures provide security practitioners the ability to detect and search for artifacts associated with previously known campaigns, combat low caliber adversaries, respond to external intrusion notifications, and pivot through a network to find additional hosts affected by the same intrusion detected on other internal systems. However, modern adversary tactics are rapidly changing. Adversary communications are encrypted. Malware is often customized per victim, as is the attack infrastructure, which is reused less often and cycles rapidly. In addition, non-malware based techniques such as use of legitimate credentials and misuse of legitimate administrative tools are on the rise. All of this renders signatures insufficient to drive modern detection and remediation.

The industry requires more sophisticated and robust detection capabilities to defend against the adversary.

Better signatures and more robust sharing are not the answers to these problems. The industry requires more sophisticated and robust detection capabilities to defend against the adversary. We must simultaneously monitor operating systems' low-level chokepoints, where adversaries must transit as they take action on systems, hunt for higher-order patterns in data collected from across networks to find suspicious and anomalous activity, and leverage traditional signature-based detections - to give the defender a chance.

A basic premise of today's cyber climate is that the security industry needs to do more. Moving from solely signature-based defenses to also including attacker techniques and patterns is the best way to maximize the defender's chance of success in minimizing damage and loss.

Mark Dufresne

Mark is responsible for Elastic Endpoint Security’s efforts to understand cyber threats and develop innovative capabilities to detect and prevent malicious adversary techniques. Mark has over 12 years of experience in offensive and defensive cybersecurity as an Operations Chief and Manager at the National Security Agency. As the leader of a diverse range of cyber operations, Mark spearheaded efforts to defend against the global range of cyber adversaries, with a focus on disrupting and mitigating targeted nation state cyber activities. Mark was also a major advocate and coordinator for a variety of intelligence sharing and collaboration efforts across the US Government to improve cyber defense and prevention capabilities across the community. Mark earned his BS in Computer Science from the University of Minnesota and his MS in Security Informatics from Johns Hopkins University.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.