I took part in a panel discussion yesterday in beautiful Napa Valley. My thanks to Ron Gula, CEO of Tenable Network Security, for inviting me to participate along with three other very talented gentlemen.
During the discussion a question came up: “Why are advanced persistent threats not being detected with today’s antivirus and antimalware solutions?” I thought it was a great question.
First, it is important to understand that there are two parts to that question that need to be explained.
1) The question wasn’t merely about the malware; it was also about its use.
2) What is “advanced” about APT?
If you’ve followed our blog for any time you’ll recognize that we (Cylance) don’t merely look for malware, we consider how it is intended to be used – i.e. whether it has malicious traits or characteristics as determined by our phenomenal machine learning system that we call Infinity©. We also look into how it was used, and related activities where malware is no longer needed by the perpetrators of the compromise (or their subsequent subscribers in many cases).
We all know that in most incidents malware provides an entry point for activities including privilege escalation, reconnaissance, lateral movement, and data theft or sabotage. In others malware provides capabilities to exploit security defenses or system configurations to make the related activities possible. In other words, malware is a tool that facilitates malicious activities.
One of the panel members provided detail that the mechanics of malware haven’t really advanced – and another panelist contributed that many of the malware found recently had been in use for 5-7 years. There are certainly advancements in how the malware adapts to the system types it is compromising, but it is fundamentally programmed to provide entry or exploit configurations to facilitate malicious activities.
Advanced Persistent Threats are advanced when the actors utilize an organization’s own defenses and administrative capabilities to achieve their goals. The tools are advancing in sophistication, but the tactics and procedures for the use of those tools, and corporate administrative utilities thereafter – are the real advancements in APT. APT actors have adapted to an organization’s work schedule, the use of administrative infrastructure, VPN, identity management (and provisioning) systems, and even existing publishing nodes (websites or FTP services). Those are the real advancements in APT. Malware merely facilitates the opportunity for those activities. However, just as APT activities have adapted to utilize procedures and administrative utilities of the organization they target for compromise, so too have malware tools adapted over time.
The reason that malware such as Reedum, BlackPOS, OWL, Shamoon, or the myriad of variants of Zeus, PoisonIvy, or Gh0st tools used in APT have not been detected by antivirus and antimalware is that they manipulate the identifying features that signature-based solutions depend upon. They simply don’t stand out as much to existing security tools. They make use of native API calls rather than custom code, they use administrative tasks already available on each operating system rather than constructing routines, and they adapt their identity (hash, domain/IP use and etc.) to defeat list-based matching.
To answer the question that was posed is rather simple. Today’s antivirus and antimalware “solutions” depend on matching signatures to black lists – antivirus DATs, internet addresses, system configuration settings, or similar. They depend in other words on recognizing something that has been seen before. Our technology, CylancePROTECT™ – based on our Infinity© machine learning system, recognizes the characteristics of a malicious file by how related (system and programmed) resources are intended to be used in order to prevent its execution.
The difference can be summarized as signatures (A/V, A/M etc.) might recognize what you look like, but Infinity© can understand what you are like.
What’s so “advanced’ about APT? The activities, the tools only facilitate them. Malware is a tool, how it is used (intended or actual) is what matters. So if we can prevent the tool’s use we can prevent everything that would otherwise happen afterwards.
Shane Shook, PhD
CKO/Global VP of Consulting