Understanding Endpoint Threat Diversification to Help Better Secure Infrastructures
The threat landscape has evolved considerably over the years, as the technology stack deployed within local and cloud infrastructures have changed dramatically to include a wide array of tools, services and stakeholders. Threat diversification has enabled the development of new security technologies designed within layers, aimed at preventing advanced and sophisticated malware from breaching security at various attack stages.
Endpoint security has become the new normal and, while it can secure organizations against mass-market malware, advanced persistent threats (APTs) are purposely built to dodge this security mechanism. Only layered endpoint security that can protect against these attacks, as well as a wide range of attack techniques, is fueled by machine learning and behavioral analysis to ensure accurate disposal of new and unknown malware.
Now, deploying aggressive analysis tools on endpoints is not without drawbacks, including performance issues. Therefore, cloud sandboxing has emerged as an increasingly important option for detecting sophisticated attacks pre-execution, or for securing endpoints without compromising its security.
Sandboxing vs. Emulation
Although the terms sandboxing and emulation are sometimes used interchangeably, the two technologies show fundamental differences when we dive deeply into how advanced malware works, and how it’s detected. Standard endpoint protection (EPP) emulation is usually handled locally and only select chunks of code are analyzed, followed by some process of feature extraction performed by machine learning algorithms. Since the entire analysis process is performed in mere milliseconds, it is limited by local computing resources, and therefore at risk for false positives.
Emulation is an integral part of anti-malware’s pre-execution security stack and plays a vital role in the overall security stack of an EPP solution. As such, its importance should not be downplayed–it offers a vital pre-execution layer designed to filter out garden-variety threats without overtaxing a cloud-based sandbox with easily predictable threats.
Conversely, cloud sandboxing detonates the actual file, including additional payloads, in a virtual cloud host meant to replicate the endpoint configuration. The biggest difference between the two is that unlike emulation, where local resources are limited, a cloud-based sandbox utilizes a significantly larger pool of computing power to fully analyze the complete behavior of a potential threat in real-world conditions.
Since most advanced threats employ sophisticated reconnaissance techniques before dropping additional malicious components, a sandbox analysis provides complete visibility into the entire attack chain. This enables the security solution to prevent the initial attack vector and identify other components or tools that threat actors use to gain access to a machine. As the sandbox analyzer is not a production machine, the security tools designed to perform behavioral analysis can be configured to a heightened state of alert – a sort of paranoid mode – that would allow close monitoring of all actions performed by the execution of a potentially malicious file.
The entire process of submitting an unknown file to a sandbox analyzer may take longer than simply running the local emulator, but the amount of behavioral information collected from the sandbox analyzer is far more detailed and more reliable. A verdict on whether a file is malicious is based on more than one technology. For example, specifically trained machine learning algorithms and advanced behavioral-based security tools can assess the threat more in-depth than locally configured, performance-friendly, security tools.
In a nutshell, while both emulation and cloud-based sandbox analysis are an integral part of threat detection, the latter is specifically built to detect and analyze sophisticated threats using machine learning algorithms and aggressive behavior analysis technologies that would otherwise negatively impact the performance of the local machine.
Disarming Threat Actor’s Weapon of Choice
One thing that sophisticated threats have in common is their reliance on commonly used files to deliver malicious payloads. Documents and executables are often used as both reconnaissance and malware delivery mechanisms when infiltrating an organization.
Taking those files and “detonating” them in controlled environments – away from the victim’s endpoint – means threat actors are practically disarmed, as their most effective and commonly deployed weapons are essentially rendered useless.
Tightly integrated with a company’s EPP, cloud-based sandbox analyzer technology can only strengthen the overall security posture, acting as a new security layer specifically designed to detect malware and report unusual artifacts that employ all sorts of anti-evasion techniques. Moreover, with its rich forensic information, it can give companies a complete and detailed analysis of any detected threat, enabling them to strengthen or rethink a variety of security policies across the infrastructure.
About the author: Liviu Arsene is a Senior E-threat Analyst for Bitdefender, with a strong background in security. He has been closely working and interfacing with cross-company development teams, as his past Product Manager role involved understanding Bitdefender’s technology stack.