Traditional Security Solutions Can’t Detect Evasive Malware
The latest firewalls, IPS, and first-generation sandbox appliances are no match for today’s sophisticated and evasive malware.
When explaining what Lastline does, occasionally I hear a comment along these lines: “Well, we have a next-generation firewall and it has malware detection built-in”. If it’s not a firewall that they are referring to, it’s the “latest IPS” or “anti-virus”, or “state-of-the-art” email filtering system that has “malware detection” included as an embedded feature.
Their comment is really a question: “Aren’t we OK with what we have?”
In response I explain that while a lot of security products have some level of malware detection features built-in, today’s advanced malware is so sophisticated and evasive that it can easily detect and bypass those defenses. Even the very latest firewalls, IPS, and first-generation sandbox appliances are no match for today’s sophisticated and evasive malware.
In this brief blog I hope to shed at a little light on this topic for readers who may also be struggling with this concept. Here are a few significant points that explain why advanced malware goes undetected by most security products:
1) Signature based solutions won’t detect advanced malware: The reality is that today’s advanced malware will often configure itself differently for every instance, so there are no known traditional signatures that identify it as malicious. Any malware detection system that depends heavily on signatures—and most do— will fail.
2) Advanced malware detects and bypasses most security controls: Sophisticated malware today can easily detect when it is being scrutinized by most enterprise security solutions, including advanced firewalls, IPS, or first-generation sandboxes. Once detecting a security solution is in place, the malware will mask its presence and the security system will categorize it as non-malicious and let it continue into the network.
3) Next-generation firewalls aren’t equipped to detect evasive malware: In an effort to remain competitive, the latest firewalls add and combine security features traditionally belonging to other dedicated security products such as antivirus and intrusion prevention. However, most next-generation firewalls still rely heavily on signatures to detect malware, which as noted above is no longer effective. Furthermore, even the latest firewalls are unable to fully examine the code of an object or trigger the execution of its malicious functions. As a result, advanced malware remains undetected by even the most recent firewalls.
4) Intrusion Prevention Systems (IPS) can be fooled by advanced malware: Good IPS solutions perform deep packet inspection and protocol analysis to detect significant aberrations in expected behavior, particularly in the way an object communicates within and outside the network. However, advanced malware has become exceptionally adept at communicating their malicious payloads within the boundaries of established application protocols. And, because IPS tools can only see network packets and not the actual execution of malicious code, it makes it almost impossible for IPS solutions to detect the latest and most sophisticated malware.
5) Antivirus & web malware filters don’t stop unknown malicious traffic: Since advanced malware and the vulnerabilities exploited are not previously known, traditional antivirus and web filters don’t detect or stop it.
6) Email filters rely on known signatures and obsolete blacklists: With a million new variants of malware introduced daily, and the use of dynamic domains and URLs, advanced malware easily evades email filters that rely on previously known bad signatures, URLs and domains.
Advances in malware development take place at breakneck speed and result in malware that is very adept at evading detection. Defeating new strains of malware requires detection that is only possible with the most advanced malware detection platform. Malware features bolted onto another product tend to be a mile wide, but only an inch deep. Without continuous development and innovation, even fully deployed malware detection platforms don’t have the ability to compete with today’s sophisticated malware.
Click here to learn more about the Lastline solution.
Latest posts by Bert Rankin (see all)
- Virtualization-Based Sandboxes are Vulnerable to Advanced Malware - January 12, 2018
- Malware Attack Vectors: What to Expect in 2018 - December 6, 2017
- Detecting Malware in Mac OS X Environments - November 30, 2017