Why it’s harder for threats to hide behavior on a corporate network

Threats are becoming more sophisticated. Threat actors are determined to find ways to disguise malicious activity and evade traditional detection techniques.

For example, some malware variants employ techniques to alter its fingerprints.  In others, network attacks can hide behind encryption, or even subtly change their method of presentation to evade detection.

Some industry watchers point to a  historical dependence upon signature-based detection as a reason such stealth efforts are effective.  While there are many possible ways attempt to resolve this issue, one of the more prevalent involves behavior analysis.

To understand the strengths and weaknesses of behavioral analysis in comparison to signatures, we must first briefly examine signature detection.  

How signature detection works

The term “signature” refers to any detection technology that looks for unique characteristics of an existing threat to detect future occurrences. In the case of viruses or malware, this may be a unique pattern of code within a file or a unique file hash associated with the malware sample.  

This method of detection requires that the threat has been discovered already (or at least anticipated) and its signature is available.  In order to work effectively, the threat must look precisely the same each and every time it is observed.  If it changes even slightly it will evade traditional signature detection.

To draw an analogy, it is like getting a fingerprint of a known criminal. The human fingerprint is unique, and if that fingerprint is ever seen again in a matter of criminal activity, it can alert the authorities as to the identity of the criminal. 

However, for fingerprints to work as proof of identity, authorities must have caught the criminal at least once in the past, or in some way have previously obtained fingerprints. In addition, the perpetrator must continue to leave his or her fingerprints at new crime scenes.  If the criminal wears a pair of gloves on the next heist, then law enforcement may not have the information to definitively determine the criminal’s identity. 

Similarly, viruses can change, either manually or by the originator through a mechanism called “polymorphism.” This is where the fingerprint or hash can change as it moves between infected hosts to avoid the uniquely identifiable pattern.

Why are signatures still used if they can be so easily evaded? These are used for the same reason police still use fingerprints.  They are an easy way to discover threats that have already been seen.  Although they may not catch everything, they are still highly effective against known threats.

How behavior analysis is different

If signatures are like fingerprints, behavioral detection is like profiling.  Rather than looking for a specifically identifiable pattern, behavioral analysis looks at suspicious activity in order to determine it’s a threat.

Drawing upon the profiling analogy, while it would be useful to identify the criminal throwing a brick through the window and grabbing the television, it is rare for advanced threats to be so revealing. However, if you see somebody loitering by the store window late at night, that may be an indicator of which you would take note. 

Further, if that person then seems to be spending a lot of time hunched over the door lock and hiding his or her face, the indications of nefarious activity begin to mount. Any single action may not be a concern independently, but when enough of these types of secondary behaviors are identified, a behavior analysis can escalate the incident as a potential alert and this works the same way in the context of corporate networks.

For example, security may see a user visit a website of concerning reputation. Later, that user’s system makes a single call to another website where a large encrypted payload is downloaded.  Shortly after, another short web call is made to another host without any reputation at all. Finally, you see that user communicating peer-to-peer with other local systems, in a way that is typically uncharacteristic by that user.  Any single one of these events may not be worthy of triggering an alert, but in combination, they lead to a pattern that may tell a greater story.

The drawback to behavioral analyses is similar to the drawbacks of using the profiling techniques in law enforcement: false positives.   Yet, false positives, in the case of cybersecurity, may not be as problematic: if your behavioral detection system is not sending at least a few false positives, it is probably allowing some threats to go undetected.

In behavioral detection, it is not about eliminating false positives, it is about keeping the ratio of false positives-to-detections low. If a large enterprise detects five real threats for each false positive, most organizations would consider this a reasonable trade-off. 

Balancing techniques in a layer defense

For all the new tools available to hackers to hide their intentions, the fact remains, that profiting from breaking into a corporate network means bad actors are going behave in ways that are unusual. This behavior is simply harder to hide, and it presents another opportunity for security to mitigate risk.

As with signatures, most organizations cannot rely exclusively on behavioral analysis.  Doing so would be prone to miss threats that would be otherwise easily identified by signatures.   To that end, it’s not a matter of one security technique being better than another, rather it’s understanding the strengths and weaknesses of each and employing them in a way that best protects the enterprise.