Albeit a rather graphic metaphor for Advanced Threat Prevention, the action thriller film Death Race from 2008 is a visceral depiction of what every security professional goes through on a daily basis. Specifically, driving a set of cobbled together technologies around a known course that has surprises around every corner, many of which can mean death, on in the case of your organization, a major breach or malware disruption. Every time you plan for a certain type of attack, the enemy finds a new evasion technique and thus the race begins anew.
Or Is It Cat And Mouse?
Okay, so if Death Race is too graphic a metaphor, how about a classic cartoon from the 1940’s? Anyone remember Tom and Jerry? In over 200 segments, Tom (the cat) attempted new and creative ways to catch and eat Jerry (the mouse). The good news is that in a family cartoon, the mouse always wins, however, as any outdoor cat owner knows, in real life the cat wins very often. This is also the case with the game of cat and mouse between IT security professionals and cyber criminals intent on causing harm to your organization.
Coincidentally, according to SearchSecurity “There are currently about 200 known evasion techniques that are recognized by vendor products.”
Evolving Evasion Techniques
There are a number of methods by which the sophisticated malware of today can evade even the best of network-based security controls and technology defenses. But do you know how they work, and how they evolve?
- How they work: Andrea Fortuna describes the 2 most common evasion techniques and 6 most common obfuscation techniques as:
- Evasion Techniques: 1) Detecting sandbox using core count and 2) Detecting lack of user input
- Obfuscation Techniques:1) Dead-code insertion, 2) Register reassignment, 3) Subroutine reordering, 4) Instruction subroutines, 5) Code transportation, 6) Code integration
- How they evolve: Advanced Evasion Techniques (AET) don’t rely on creating new evasions, they simply play off variations of known evasions and combinations of know evasions to create something new. According to SearchSecurity:
“An AET can create literally millions of "new" evasion techniques from just a couple of combinations -- none of which would be recognized by current intrusion detection system (IDS) vendor products. If all 200 were used, the permutations would be unlimited.”
The Best Option Is To Not Play The Game
Solebit’s SoleGATE uses a static analysis which is faster, more accurate, not OS version dependent and covers 100% of your code, with complete visibility. With SoleGATE, every line of code is evaluated, making Sandbox evasion techniques ineffective. The platform is agnostic to file type, client-side application type, or the client operating system used within the organization. Unlike a Sandbox which has to simulate specific customer environments, SoleGATE provides protection regardless of operating system, CPU architecture, and function (client, server) of the targeted machine.
See for yourself what SoleGATE can do to deliver evasion proof security for your organization today. Register for a free trial today.