On May 29, 2019, an elusive Linux backdoor malware solution was detected and dismantled by Intezer, an Israeli malware analysis company located in Tel Aviv. While new malware is not unique news, this particular pest, named HiddenWasp, was undetected by 59 antivirus engines that interact with VirusTotal, an antimalware collaboration service. According to Ars Technica, by the next day, up to 13 engines were detecting the malware. How does a remote access backdoor tool manage to bypass so many products that are continually sharing data? The problem and its solution depend on who you ask.
A traditional view of detection sees this as a problem of behavior and history. It relies on heuristics and hashes, namely the ins-and-outs of how malware works, and a fingerprint or snapshot used to quickly identify a file. These methods see the pieces that offend, commit them to recognition databases and move on. If a malware happens to meet the heuristic processes or fixed hashes, it is more likely to be captured and prevented.
The traditional view has a steep challenge. Malware today is adaptive, and most times it is designed to be so right out of the box. The majority of the large ransomeware packages that grace our news by seizing the data of entire corporations or cities are by default designed to randomize at one or more levels. Encryption keys are unique per user. Executable files have randomized names and are stored in randomized folders in randomized places. They are designed to be elusive. They are designed to elude heuristics and hashing.
The modern view changes perspective and assesses the root problem at a fundamental level. A binary one. Intezer mentions that in “Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild.” They also mention that “Anti-Virus solutions for Linux tend to not be as resilient as in other platforms.” The classification as trojan or backdoor does not ultimately matter once you know it is all wanting to attack your data. Why is protection of one OS weaker than another? The limitations of cybersecurity’s traditional methods begin to show in the endless difficulty of maintaining dossiers on every threat for every platform.
95 PERCENT OF ALL INCIDENTS FOUND HUMAN ERROR AS A FACTOR.
Before being accused of trashing on the entire history and body of work of heuristics and hashing, it is important to say that they are critical to security. A great way to become more secure is to understand how maliciousness attacks and circumvents security so that we can move forward with better, smarter hardware, software and operating systems. A good reverse-engineering can do a great deal to improve solutions, yet it has a difficult time keeping up with the cornucopia of open source malware code bases, mutated viruses, and exploit kits that are forever building upon each other or sharing functional components.
Add onto this the most difficult component to guard: the human element. Prepare for some sobering facts: IBM’s 2014 Cyber Security Intelligence Index report claimed 95% of all incidents investigated found human error as a factor. Fast forward a few years later, humanity and awareness training have not removed us as prime targets. The Kaspersky Lab Global Corporate IT Security Risks Survey from 2018 claims up to 91% of enterprises that experienced public cloud infrastructure breaches believed social engineering was part of the attack. According to the IBM X-Force Threat Intelligence Index 2019, human error through system misconfiguration accounted for 43% of publicly disclosed incidents in 2018. The very individuals handling and moving files throughout an enterprise are the weakest link when it comes to guarding against executing malicious email attachments, opening files from unreputable sources, and becoming unknowing participants in exfiltration attacks. What if there was a better way to protect against adaptive threats that are bombarding the weakest surface of our enterprises and municipalities?
STARPOINT – SMART DETECTION
Quantum Star Technologies has developed Starpoint to be a next-next-generation solution. Starpoint is built to investigate one of the common fundamental levels of file storage, binary data. Through our patent-pending effective data science and artificial intelligence, we feed a new method of detection that is vastly superior at detecting and discovering zero-day threats or other unknown malicious files.
Case in point, Starpoint was able to detect all but one of the HiddenWasp non-shell script files as malicious with no modification. At the time of detection, Starpoint was operating on a version created in April, over a month before HiddenWasp was even announced.
WHAT MAKES STARPOINT BETTER?
Through agnostic operation at a binary level, Starpoint achieves multiple benefits. There is no operating system dependency for the engine itself, and it possesses the same level of effectiveness across those systems. Cross-platform malicious files can be found with equal effectiveness regardless of OS. Our world is increasingly unifying technologies under cross-platform tools, which stands to support that our threats are also increasingly cross-platform. The best way to combat an adaptive attack is with an adaptive response.
197 DAYS – THE MEAN TIME TO IDENTIFY A DATA BREACH.
By utilizing data science and AI on a base data layer, Starpoint is able to ascertain relevant markers, connections, aspects, and details that make a file malicious. Using data science on a file’s DNA helps create a framework for AI to be incredibly effective at detecting adaptive threats or threats that bear similarities to malicious intent.
The IBM-sponsored 2018 Cost of a Data Breach Study: Global Overview reports that the mean time to identify data breaches was 197 days; That is months of time. If you add in the mean time to contain, that stretches out to 266 days, nearly three-quarters of a year. Starpoint is designed to revolutionize the ability to detect existing and new threats so that an enterprise can prevent or shrink that window between infection and identification.
If you are interested in learning more about Starpoint, or would like to partner with us, feel free to contact us at firstname.lastname@example.org.
ABOUT THE AUTHOR
Paul Swaim is the Chief Operations Officer for Quantum Star Technologies, and has worked in Information Technology for over 20 years through consulting, private sector, and public sector roles. His background includes end user support, web development, systems engineering, systems security, project management, contract management, and risk management.