Nearly all cyber attacks require running code. Regardless of the attack vector, in order for an adversary to create any damage, such as stealing data, installing a backdoor, or deleting sensitive materials, they must run code on a target’s computer or server (in the cloud or on-premise).
While traditional anomaly detection solutions can effectively alert us on suspicious behaviors, they are limited in their ability to identify what threat is actually running in memory. This can be especially problematic for detecting in-memory threats — such as malicious code injections, packed, and fileless malware — and sophisticated threats which are designed to look “normal”.
The Limit of Behavioral Analysis and Anomaly Detection
In an article I wrote for Help Net Security, I state that anomalies only provide us with an indication that “something” is wrong with our machine or server.
In order to understand the root problem, respond, and ensure that a system or machine is completely clean, we must search for and identify the unauthorized and malicious code running in memory that caused the anomaly alert to begin with.
While behavioral analysis solutions present us with a means to detect and alert on suspicious behaviors, they tend to produce too many false positive alerts for the SOC analyst. In addition, behavioral analysis solutions are prone to be evaded by sophisticated threats which are designed to not generate anomalies. Simply put, if you’re a sophisticated attacker, you know how to appear normal.
Incident responders also require context about threats in order to effectively tailor their response. Security teams can benefit from automatically classifying threats and attributing the developer behind them. If a file doesn’t behave suspiciously, but if you know it was created by the same author as the Emotet, for example, then you can likely conclude it behaves with malice.
Basing Incident Response on Diagnosis, Not Symptoms
Instead of searching for suspicious behaviors, anomalies or IOCs, the Genetic Analysis approach detects code reuse between software on the binary level. In other words, it detects code that was seen in previous cyber attacks or other software. Even if an attacker reuses tiny portions of the same code in future attacks, you as the defender will be able to automatically detect any future threat that shares the same code.
This approach also allows us to recognize trusted code with automation, reducing false positives by identifying previously seen software or benign artifacts.
In the world of biology, it’s critical to identify the disease or what is causing the ailment. As a doctor, you want to understand what is going on inside of the body versus looking at only the symptoms: 1) So you can diagnose the disease and provide the appropriate prescription and 2) the symptoms can often be misleading or not lead you to making the full diagnosis.
The same concept applies to cybersecurity. The behavioral analysis approach is similar to looking at only the symptoms. This approach may inform you about the symptoms a particular server or machine is experiencing, but it ultimately fails to diagnosis the illness or threat itself causing the issue. Genetic Analysis, on the other hand, analyzes code running in memory, which is equivalent to performing an MRI in order to diagnose the cyber threat.
Getting the right “diagnosis” for incident response means running the kind of analysis that will give you real answers about the root cause.
Analyzing Code with Genetic Analysis
At Intezer we believe the key to preventing cyber attacks is to detect and respond to the malicious code running in memory. If a malicious application or program does not run in memory, then there will be no successful attack.
The existence of advanced and fileless threats makes identifying the origins of software critical for detecting today’s cyber threats. Rather than searching for anomalies, suspicious behaviors, or IOCs, the Genetic Analysis approach analyzes the binary code running in memory, similar to that of performing an MRI. This approach can be applied by security teams to several different use cases, including threat intelligence, hunting, and incident response automation.
Additional Resources about Fileless Malware:
Intezer Analyze’s endpoint analysis tool automates the complex memory analysis process. By analyzing every piece of code running in memory, users are able to detect in-memory threats such as malicious code injections, packed, and fileless malware.