Nearly all cyber attacks require running code. Regardless of the attack vector, in order for an adversary to create any damage, such as stealing data, installing a backdoor, or deleting sensitive materials, they must run code on a target’s computer or server (in the cloud or on-premise).
While traditional anomaly detection solutions can effectively alert us on suspicious behaviors, they are limited in their ability to identify what threat is actually running in memory. This can be problematic for detecting in-memory threats — such as malicious code injections, packed, and fileless malware — and sophisticated threats which are designed to look “normal”.
Limitations of Behavioral Analysis
In an article I wrote for Help Net Security, I state that anomalies only provide us with an indication that something is wrong with our machine or server. In order to understand the root problem, respond, and ensure that a system or machine is completely clean, we must search for and identify the unauthorized and malicious code running in memory that caused the anomaly alert to begin with.
While behavioral analysis solutions present us with a means to detect and alert on suspicious behaviors, they tend to produce too many false positive alerts for the security analyst. In addition, behavioral analysis solutions are prone to be evaded by sophisticated threats which are designed to not generate anomalies. Simply put, if you’re a sophisticated attacker, you know how to appear normal.
Incident responders also require context about threats in order to effectively tailor their response. Security teams can benefit from classifying threats and attributing the developer behind them. If a file doesn’t behave suspiciously, but if you know it was created by the same author as the Emotet, for example, then you can likely conclude it behaves with malice.
Making the Diagnosis vs. Looking at the Symptoms
Instead of searching for suspicious behaviors, anomalies or IOCs, the Genetic Malware Analysis approach detects code reuse between software on the binary level. In other words, it detects code that was seen in previous cyber attacks. Even if an attacker reuses tiny portions of the same code in future attacks, you as the defender will be able to detect any future threat that shares the same code.
In the world of biology, it’s critical to identify the disease or what is causing the ailment. As a doctor, you want to understand what is going on inside of the body versus looking at only the symptoms: 1) So you can diagnose the disease and provide the appropriate prescription and 2) the symptoms can often be misleading or not lead you to making the full diagnosis.
The same concept applies to cybersecurity. The behavioral analysis approach is similar to looking at only the symptoms. This approach may inform you about the symptoms a particular server or machine is experiencing, but it ultimately fails to diagnosis the illness or threat itself, which is causing the symptoms to begin with. Genetic Malware Analysis, on the other hand, analyzes the code running in memory, which is equivalent to performing an MRI in order to diagnose the cyber threat.
At Intezer we believe the key to preventing cyber attacks is to detect and respond to the malicious code running in memory. If a malicious application or program does not run in memory, then there will be no successful attack.
The existence of advanced and fileless threats makes identifying the origins of software critical for detecting today’s cyber threats. Rather than searching for anomalies, suspicious behaviors, or IOCs, the Genetic Malware Analysis approach analyzes the binary code running in memory, similar to that of performing an MRI. This approach can be applied by security teams to several different use cases, including incident response automation, threat intelligence, and runtime cloud workload protection.
Need help getting started using Genetic Malware Analysis? Contact us: https://intezer.com/contact-us/
- Memory analysis is the ground truth: https://www.helpnetsecurity.com/2019/05/17/memory-analysis/
- Intezer Analyze’s endpoint analysis feature automates the complex memory analysis process. By analyzing every piece of code running in memory, users are able to detect in-memory threats such as malicious code injections, packed, and fileless malware. Try it now for free in our community edition: https://analyze.intezer.com/#/analyze