It’s a sad fact of life for today’s information-driven organizations that the nature of security threats is continuously shifting and evolving. Intrusion mechanisms such as worms, Trojans and rootkit exploits continually evolve into more-developed forms, and wax and wane in terms of number and frequency of attacks.
Zero-day vulnerability attacks and rootkit exploits are more difficult to detect and, therefore, harder to prevent. Increasingly, they are embedded in application software — whether on a PC, Mac or mobile OS. Their goal is the theft of valuable information, as opposed to systems disruption or cyber-vandalism.
“Today, analysts estimate roughly 75 percent of all security attacks are targeted at applications,” Scott Magrath, director, product marketing at Verisign, told TechNewsWorld. “However, only 10 percent of enterprise security spend is focused on application security. This is something we expect to change dramatically over the next few years — fueled in part by regulations like PCI (payment card industry data security standards) focusing more on application security. This requires customers to invest in extending what they are doing at the network level to the application level.”
Given portents such as this, demand for third-party security management services, as well as for systematic security risk-profiling and management solutions, continues to grow. The need to protect applications and data resources more proactively is also driving the development and application of heuristics — that is, empirical, judgment-based rules for intrusion detection and prevention — and other forms of artificial intelligence in security products and services.
War Games
With crackers, spoofers and other cyber-outlaws pitting themselves against security systems developers on a daily basis, cyberspace may be likened to a computer and network war game –except that it’s for real. As new vulnerabilities are discovered and exploited, security service providers update their response systems in an escalating feedback cycle akin to an arms race.
Security terminology and conceptualizations, or ways of thinking, are often military in tone. ESET’s Director of Technical Education Randy Abrams, for instance, put it this way: “The attackers always have the ability to test their code against security products before they allow the security products to obtain samples. This is effectively the element of surprise.
“Because of this,” he told TechNewsWorld, “it is important that users are selective about which sites they surf to, and what programs they run.
“Keeping current with security patches from operating system and application vendors is a crucial portion of security. A car has a number of systems that are required for safe operation — the most important being the operator. NOD32 (ESET’s flagship security solution) offers one layer of protection, just as a seatbelt does. The user must still steer and make judicious use of the brakes and accelerator, or they will get hurt. This does not mean that the seatbelt is anything less than a critical safety tool, though,” he commented.
As in any good military operation, intelligence is a key factor in terms of identifying, preventing and successfully defending against security attacks. For IT professionals, that means keeping track of what’s going on in the hacker community.
“Malware researchers monitor a number of locations that these threats are originating from. Monitoring security information from legitimate vendors is also a portion of the puzzle,” Abrams notes. “By identifying the reported vulnerabilities, it is possible to surmise what a new threat will potentially look like.”
Heuristics: If It Looks and Smells Like Malware …
If a potential threat can be identified early, prevention will be that much easier. That’s where the process of designing new heuristics begins. “In the IT security field, heuristics are used to identify a threat based upon how it acts, as opposed to specifically identifying something that has been seen before. If the rules are set up well, the heuristics will be able to identify known threats as well as brand new ones,” Abrams explained.
“By distilling the behavioral components of a potential vulnerability exploit, it is possible to provide heuristic detection of the potential exploit itself,” he added. “This helps to close the window of vulnerability for users while the manufacturer develops a patch that eliminates the vulnerability.”
As the primary means of identifying new threats, heuristics have become a core component of today’s security systems. For instance, Abrams noted that heuristics have prevented infection zero-day attacks.
“Heuristics not only identify suspicious behaviors, but make a determination of good or bad,” he pointed out.
“When the blaster worm came out, ESET’s users were already protected due to the heuristics in NOD32. There have been several other threats that the heuristics of NOD32 have detected — hence preventing data, information and privacy loss to users,” Abrams said.
“A good antivirus software will employ different methods to detect malware,” Shane Coursen, senior technical consultant for Kaspersky labs, told TechNewsWorld.
“Most often, the primary method is the string scanner, used to detect known malware,” he said. “Heuristics augment the string scanning method to detect something that might be malicious. Both methods combine to form a larger umbrella.”
The key component in good heuristics design, Coursen continued, “is that which will take into account the existing methods and vectors of infection, of course. And just as importantly, false positives must be kept to an absolute minimum. Updates are most often associated with string scanners, although updates can provide new heuristic engine rules as well.
“Updates — as in keeping an antivirus product up-to-date, as well as its signature database — are critical in all cases,” he emphasized.
“The real balancing act is in setting thresholds for suspicious activities,” continued ESET’s Abrams. “There are no actions that malicious software can take that legitimate programs could not. The trick is in identifying combinations in enough detail to catch the bad ones while leaving the good programs alone to perform their functions.”
Lean and Mean
With the rapid evolution of malware and its potential to do damage, a fast, automated response is critical for any security system.
“Some products use less-intelligent methods of behavior blocking that then require the user to understand what it means that ‘a program is writing to the hosts file’ and decide if this is an appropriate behavior,” Abrams noted. “In some cases, it is — and if the user chooses incorrectly, [a] legitimate application is prevented from functioning. The less intelligent the approach, the less useful it is for networks and for users who are not experts in computer technology.”
ESET employs three means to meet these requirements: generic signatures, passive heuristics and advanced heuristics.
Used effectively to identify and thwart known types of threats, generic signatures measure how similar something is to a known threat.
“I like to use the analogy of dogs,” Abrams said. “You have probably seen a dog on the street that you knew was a dog, but you didn’t know what breed it was. If your job were to spot dogs, the breed is not relevant, but if you get fined for calling out cats, it is a problem. We have seen enough bagels, mytobs, zotobs, etc., that when a new one comes out, we can say, ‘We haven’t seen this exact sample before, but we do know that it is a mytob.'”
Heuristics, in contrast, are used to protect against unknown threats. “Heuristics analyze the files as they are scanned or accessed, and look at what it appears the file will try to do. If the file is writing to the registry and modifying a system file, it may be a critical security patch — but if it is also sending e-mail, and using IRC (Internet relay chat), then it is a bit more suspicious. Add a few other actions that we may see code for, and we can tell you that the file is almost certainly up to no good.”
Taking heuristics a step further, using advanced heuristics involves “creating a sandbox in the virus scanner and then using emulation to ‘run’ the program under test,” Abrams explained. “This method allows us to see what the program is actually doing. Emulation can cause encrypted or packed malware to decrypt or unpack itself, thus exposing the program to both signature detection and other heuristics methods of detection.”