The problem with the bad guys is that they don’t have any rules. In fact, the only predictable thing about them, is that, at some point unauthorised access to your systems will be part of their plan.
We’ve been through a phase where the bad guys could obfuscate, encrypt or, plainly speaking, simply hide their malware in many ways across many different file types. They were able to do this with such success, that it broke the operational certainty in Traditional Anti-virus, and was the catalyst for great innovation in the security industry. Along came the sandbox, no longer solely focussed on the input of a file and its component parts, but in an environment in which the object or file could be executed, and its output or behaviours studied.
Sandboxes heralded the next wave of zero-day detection claims validated by signature-less detection methodologies. You are making a security decision based on what a file does, rather than how it is made. Below is an example of how DarkComet behaves, AKA DarkKomet AKA Fynloski AKA Fynlos AKA Backdoor.comet. Even the mass of names it carries hint at the complexity of trying to make a security decision based on endlessly changing code samples. Ultimately, it’s a boil the ocean approach. So, when it’s possible to look at what a file does, it offers a solution to failing to keep up with endless input variants.
Graph Courtesy of densitydesign.com
There are countless variants of DarkComet on different malware repositories. However, despite each DarkComet sample being unique, they all do exactly the same thing. Essentially, they create a copy of themselves, gain persistence, install particular functions and phone home.
Sandboxes added another dimension to security. Instead of being focussed on predicates based on input sources, we could now compare predicates based on output to augment security. Sandboxes changed what the bad guys have to hide, no longer could they rely of deceiving security with what they are, they now have to deceive security in what they do.
Evasion techniques grow ever more popular, from conditional malware, where it will only execute if you have the right cookie, with the right browser, with the right IP address and the right language pack, to non-execution upon the detection of virtual machines and researcher tools. Even multiphase malware delivery where, if the sandbox is to understand what the file does, it must have the key to decrypt the file from other elements encountered by the intended victim during a different stage of the attack. Waiting and counting human interactions with the system using them as thresholds and gates before a malware payload will run is also being utilised. In order for a sandbox to scrutinize the output of something, it must solve three challenges. Firstly, it must be able to select the activity which is likely to contain suspicious input sources. Secondly, it must be able to convince the input source to execute its intended actions. And thirdly, it must do it in a specific timeframe.
Essentially the Sandbox is discernible from the real targets of the attack, which are the actual endpoints, and because of this, the sandbox is evadable.
Instrumented systems solve this problem because they are sentinels to the endpoint, every endpoint becomes a security device, every input source is checked upon encounter and every subsequent output is monitored regardless of time. Even if a file lies dormant for months, the instrumentation of the endpoint reports as soon as a behaviour is detected.
Static Analysis or Dynamic Analysis. Input Focused or Output Focused. It really doesn’t matter. While encryption broke the input focus of traditional AV vendors, file-based static analysis and evasion is breaking the output focus of traditional Sandbox vendors.
Only the endpoint knows what something is, and what something does. Instrument that and you have Next Gen Endpoint Security.