By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector
Today’s society is quick to adopt and leverage new features and technology without consideration for the security risks and possible consequences. Combined with a thirst for new web applications created with a multitude of easy to program scripting languages, these realities seed a growing attack surface that allows cyber adversaries more ways to conduct their attacks and stay ahead of most security products.
Cyber adversaries are constantly evolving their attack methodologies and tools to stay ahead of detection. Over the last couple of years, they have been effectively leveraging Operating Systems capabilities that lack the means to log activity — making this tactic a powerful and lower risk resource for adversaries.
These attacks typically run in memory and operate in areas of the system that are ever changing (e.g. system memory, registry and system utilities which, in many cases, lack logging capabilities). Called “fileless malware,” due to a lack of a file used to typically initialize an attack, fileless attack vectors can be leveraged in two common ways:
- Conduct the entire attack using scripts and avoid writing to disk (but doesn’t persist through a system reboot) or;
- Leverage a fileless approach as the initial attack vector in order to download and install a malicious backdoor (this maintains persistence). This allows threat actors to not worry as much about whether their backdoor will install properly and evade detection or generate large amounts of logs.
What is Speculative Code Execution?
Speculative Code Execution (SCE) is the exploration of multiple execution paths through machine code or scripts to identify the potential for malicious behavior. The technique does not require but may leverage a control flow graph to determine paths of interest.
How is Speculative Code Execution different than sandboxing for detection?
Sandboxing has been leveraged over the last several years as a means to automate malware analysis by executing a suspicious file in a detonation chamber and then monitor the file’s interaction with the virtual machine to determine if there are any nefarious interactions.
Applied as a secondary analysis capability for network traffic monitoring devices as well, this technology has shown to be effective in many use cases but offers some limitations. For instance, the speed of performing this analysis is measured in minutes, which limits the amount of traffic that can be analyzed at high network speeds. Another challenge is that adversaries are actively building attacks that can avoid detection by evading sandbox detection techniques.
In response, Speculative Code Execution rapidly examines execution paths of machine code or scripts to identify malicious behavior. This requires much less overhead as compared to sandboxing technologies and can make determinations in milliseconds instead of minutes. This makes speculative code execution very capable of detecting fileless attacks at line rate speeds.
Another advantage of SCE is that it is less resistant to the evasion techniques that plague sandbox technologies. Many evasion techniques leverage artifacts of the sandbox environment to detect and ultimately evade sandbox analysis. Another difference is that SCE allows an analyst to follow and analyze possible execution paths during dynamic analysis, whereas a sandbox typically only sees the execution path that is observed in the sandbox detonation.
Applying SCE to Next Generation – Network Intrusion Detection
The inclusion of SCE within a Next Generation – Network Intrusion Detection (NG-NIDS) answers several challenges that organizations face in today’s threat landscape: speed, volume and accuracy. In more practical terms, it’s also an effective approach to applying an emergent detection capability to all network traffic at the point of entry into an enterprise’s network.
This completeness of coverage and ability to detect threats rapidly make it possible to analyze both web traffic and files that contain malicious code. This technological advance provides a robust approach for addressing a new class of attacks that have been a blind spot for many.
Answering the Challenge
Fileless malware will become one of the biggest challenges for many organizations as they’re designed to avoid detection, cause damage and leave no files for a post-breach investigation. What they can leave behind are damage to productivity and reputation.
If you’re not sure if your current IDS is detecting fileless malware, the easy answer is that it isn’t. With the release of BluVector 3.0, we are the first and only security vendor to offer fileless malware detection in real time on the network. Combined with our patented machine learning engine that runs in parallel with SCE, customers will significantly lower their threat risk while increasing their detection capabilities. Before your next breach, put us to the test to see how BluVector finds threats that others don’t.
About Travis Rosiek
With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity across product development, quality assurance, technical marketing, professional services and sales engineering. Prior to his role at BluVector, Travis held several leadership roles including CTO at Tychon and Federal CTO at FireEye as well as senior roles at CloudHASH Security, McAfee, and Defense Information Systems Agency (DISA).