“Now you see me now you don’t”: The undetectable threat detection

In my previous post I asserted that evasion and persistence are the 2 main “malware virtues” challenging existing detection methods.

In order to successfully thwart advanced malware, a twofold new approach must be introduced to augment existing threat detection solutions:

  1. Separation of the detection layer from the attack surface (this blog)
  2. Placement of advanced high-interaction honeypots closer to the attacked users (next blog)

First things first: Why is it so hard to detect advanced malware?

Well, the short answer is: Because malware has become so sophisticated and fast-changing, while operating systems have become unbearably large and complex.

Malware detection is uncomfortably situated between the rock and the hard place: It needs to deal with both the vulnerabilities and complexity of the operating system and the malicious activity to the malware.Continue reading

“You don’t know what you don’t know, because you can’t see what you can’t see”: Threat detection is reaching a negative inflection point

In this blog post I present a few bold (and quite disturbing) figures about the current state of affairs of malware and its detection. I assert that given the unbearably and unacceptably long time it takes to detect malware (IF at all detected), and the growing cost and complexity of its detection, it’s time to admit that current malware detection technologies have more than exhausted themselves and that it’s time for new detection paradigms to emerge.

The perplexity

Reading the threat and malware reports frequently published by security vendors and security-research labs leaves the reader perplexed. Not one report resemble the others in terms of defining the main threats and the quantitative analysis of the levels and dynamics of the threats.

It seems that each vendor has a “unique angle” on the threat landscape, probably based on its technological solutions and its own security knowledge-base.

There doesn’t seem to be any agreement about the scope and breadth of the threats, save for one conclusion: The threat level is rising and so is its severity.

The harsh reality: Malware true state of affairs

Here are a few bold figures published very recently by prominent security players:Continue reading

APT detection: Closing the Gaping Hole

New solutions to tackle advanced persistent threats (APTs) are continuously introduced, yet the detection gap remains alarmingly wide. The main reason for this is because common security solutions fail to detect the actual APT infection. Instead, they focus on failed prevention attempts (using conventional anti-malware technologies) and monitoring the already-infected targets. However, utilizing new and unconventional methods of detection – namely a secure hypervisor – can resolve that problem.

The APT Detection Gap

Despite all efforts, the average time it takes to detect APTs is still numbered in months, with the industry’s accepted average being longer than six months.

The main reason for this detection gap is the sophistication of infection and evasion techniques used by attackers. Most of the infections occur below the infected operating system, and as such cannot be identified in real-time by common detection technologies, such as anti-malware applications and sandboxes.Continue reading