Malware never sleeps. And with threats like WannaCry or ransomware targeting healthcare organizations, IT leaders need to be more vigilant about emerging cybertheats than ever.
One of these emerging threats is a generation of “polymorphic” malware, cleverly designed to elude security detection, is now assaulting networks worldwide.
Polymorphic approaches have been used by malware authors for a long time. “What has changed is the diversity of evasive tactics that attackers employ and the frequency with which they use them,” says Lenny Zeltser of the SANS Institute. “Our adversaries aren’t standing still.”
Polymorphic malware creators devise numerous techniques for defeating network defenses. “For instance, they use malicious document files at the onset of the attack, or employ ‘fileless’ techniques to maintain malicious code solely in the memory of the infected system,” Zeltser says.
Analysts estimate that malware morphs every 60 seconds. “That’s because on the Dark Web there’s an ‘arms’ marketplace where basic malware can be acquired, altered and re-posted in a continuous cycle of refinement,” says Larry Lunetta, vice president of security solutions marketing at Aruba Networks. “This makes detection via signatures, rules or pattern matching practically impossible.”
Many healthcare organizations now realize that despite their best efforts to prevent breaches, adversaries are still sometimes succeeding at penetrating network defenses. Enterprises need to develop the ability to detect when the defenses have been breached so that they can respond and recover quickly, before the incident escalates into a major event. To meet this need, a growing number of organizations are adding Endpoint Detection and Response (EDR) capabilities to their network defenses. An EDRs provide deep visibility and offer insights that help security analysts discover, investigate and respond to advanced threats.
Cognitive Security Meets Sophisticated Endpoint Threats
Unfortunately, most serious network attacks do not stop at the endpoint.
“The endpoint is simply the jumping-off location for a more aggressive and expansive attack that involves small steps over days, weeks or months,” Lunetta says. “Artificial intelligence and machine learning can see small changes in endpoint behaviors, put them in context over time and raise a risk score within a security solution to an alert threshold so it can be investigated and mitigated before damage is done.”
Machine learning and AI also excel at identifying new types and variations of malware that haven’t existed in the wild for very long. “Every organization needs multiple detection engines to help prevent attacks, such as ransomware and commodity malware,” Waggoner says.
Sundaralingam agrees that sophisticated technologies are now essential for detecting and preventing malicious attacks.
“Advanced machine learning employs a multi-layered threat assessment that analyzes how static files behave and interact with other files, machines and URLs,” he says. Machine learning can also scrutinize vast amounts of data to determine if a type of code seen on only one or perhaps a handful of machines around the world is likely to be malicious.
“Put simply, advanced machine learning acts as the first responder when an attacker gains access to private data, and effectively detects malware in the pre-execution phase to seamlessly respond and stop large known and unknown threats,” Sundaralingam says. “By combining machine learning and behavioral analysis with endpoint technologies, companies are able to minimize false positives and maximize protection when faced with large-scale attacks like WannaCry.”
Computers are inherently better at some tasks than humans, including the ability to analyze large volumes of data to spot hidden patterns that can indicate a possible network threat.
“Many endpoint antivirus and related technologies now incorporate AI to detect malware in a way that extends the approaches available to us earlier,” Zeltser says. “This is an evolutionary step that allows the defenders to keep up with the constantly-changing threat landscape.”