10 Things To Test In Your Future NGFW: Protect Evasive and Never-Before-Seen Attacks

Share and earn Cybytes
Facebook Twitter LinkedIn Email

This post is part of a blog series where we dissect the ten things to test in your future next-generation firewall. These ten points will help ensure your next firewall matches the needs of your organization in its current and future states.

With the availability and growth of the cybercrime underground, any attacker, novice or advanced, can purchase plug-and-play threats designed to identify and avoid malware analysis environments. The ability to identify and protect against evasive malware is more crucial now than ever.


Why Should You Advocate and Test This Capability?

The SANS Institute has reported that use of malware programs capable of evading detection rose 2,000 percent between 2014 and 2015. Today, most modern malware leverages these advanced techniques, which can bypass traditional, common network security solutions to transport attacks or exploits through network security devices, firewalls and sandbox discovery tools. Although we can’t build individual tools to detect every piece of evasive malware, it’s critical to utilize systems that can identify evasive techniques and automatically counteract them.


Move Beyond the Status Quo

Fight Automation with Automation
Attackers often make slight modifications to malicious code, resulting in malware variants and/or polymorphic malware. Threat signatures that rely on specific variables, such as a hash, filename or URL, get one-to-one matches only against known threats. This “new” malware is considered unknown, as protections have only been created for the original malware, not its modified variant.

Rather than use signatures based on specific attributes, NGFWs should use content-based signatures to detect variants, polymorphic malware, or command-and-control activity. Content-based signatures detect patterns that allow them to identify known malware that has been modified. This results in signatures capable of automatically preventing tens of thousands of variants created from the same malware family, rather than trying to create signatures for individual variants.

Command-and-control threats can pose a challenge, with malware authors creating C2 communications that automatically change the DNS or URL. Automated signatures based on these artifacts quickly become outdated and ineffective. C2 signatures based instead on analysis of C2 outbound communication patterns are much more effective protections that can scale at machine speed when created automatically.


Validate with More Than One Analysis Method
More determined, skilled attackers will create entirely new threats with purely new code, the costliest method for attackers. Any such threat will be treated as an unknown and go undetected.

When an entirely unknown threat enters an organization, the clock begins ticking. Protections must be created and distributed across all security products more quickly than a threat can spread. This can be accomplished by automating various aspects of the analysis, including static analysis with machine learning, dynamic analysis and bare metal analysis.­­­­ Implementing automation results in accurate identification of threats, enables rapid prevention, improves efficiency, makes better use of the talent of your specialized staff, and improves your organization’s security posture.


Create Knowledge Gaps for Attackers
Purpose-built virtual analysis environments add challenges and costs for attackers as they work to avoid discovery. The targeted environment would require different techniques from those of other commonly known analysis environments, making it more likely for you to identify the threat.


Move Beyond Virtual Environments
There are a number of ways to counter threats built to evade analysis environments, and a modern, effective security platform should combine multiple techniques. For example, combining dynamic analysis in a sandbox environment with bare metal analysis has proven effective in countering malware that assesses the environment to determine if it is being analyzed. When employing bare metal analysis, if the file successfully evades virtual analysis, it can be steered to a real hardware environment for detonation and observation. The malicious activity of the file, which would otherwise have remained dormant in the virtual environment, will fully execute in the bare metal environment.


Prevent the Spread of an Attack, Share Threat Intelligence
Threat intelligence sharing allows organizations to benefit not only from their own intelligence but from that of other organizations globally. Should an organization identify an entirely new threat and share that information, other organizations in the sharing network would be able to identify and treat this new threat as “known.” This intelligence should come from multiple sources and be correlated and validated for necessary context, in addition to the creation and distribution of an actionable response, further contributing to rapid, automated prevention.


Recommended RFP Questions

  • Does your cloud-based malware analysis system support multiple analysis techniques, including bare metal analysis for detecting evasive, sandbox-aware malware?
  • Does your cloud-based malware analysis system use a custom-coded hypervisor to be effective against sandbox-aware malware?
  • Does your malware analysis system, after analyzing malware, create threat prevention signatures, such as:
    • Content-based AV signatures to prevent known and unknown variants of malware
    • Pattern-based anti-spyware signatures to detect communications to known and unknown C2 infrastructure
  • Does your cloud-based malware analysis system support malware analysis for file types of Windows, Android and macOS operating systems?

Learn more about the 10 things to test for in your future NGFW.       

The post 10 Things To Test In Your Future NGFW: Protect Evasive and Never-Before-Seen Attacks appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?