HackDig : Dig high-quality web security articles for hackers

Stop More than the Usual Suspects (Blog 2 of 4)

2014-11-18 18:20

We’ll be releasing four blog posts over the next week.  Each blog will contain a repeated clue word to help you solve the puzzle below.  Track all four clues to help solve the final puzzle and a chance to win a Nikon D3200 DSLR camera and 18-55mm lens!.   To enter the contest, after the last blog, email us at with the right answer and the clue words.

Puzzle:  This comic book superhero is a legend in print and movie

Blog 1 clue hint (11/13) :   Publishing company
Blog 2 clue hint (11/18):   Movie
Blog 3 clue hint (11/20):   His Superhero power
Blog 4 clue hint (11/25):   The Superhero’s Alias

If signature-based security can’t be trusted to catch and avenge zero-day attacks and other emerging malware threats, what will it take to plug the holes in our defenses? Most of us know something about inspection techniques that don’t rely on signatures, but what does the whole solution space look like? How do the available technologies relate to each other and to the set of inspection platforms that make up a typical network security environment?

We believe we can reliably identify and avenge unknown malware by layering three types of signature-less inspection over a conventional signature-based defense.

1. Code behavior analyses predict the behavior of files and executables through direct examination or execution of their code. Three separate types should be employed in any comprehensive strategy: code emulation, dynamic code analysis, and true static code analysis.

Code emulation simulates a working runtime environment to study the behavior of entire files, not just their embedded scripts. It’s sometimes called “sandboxing light”. McAfee network security solutions employ two types of emulation: real-time emulation and deep file analysis.

Real-time emulation uses lightweight virtual environments to simulate a wide range of browsers, file types and scripting languages. Each emulator provides a stripped down subset of CPU, memory, operating system, and API resources to elicit and identify malicious behaviors without incurring significant latency.  Deep file analysis uses a streamlined JavaScript environment to find threats concealed in embedded scripts, providing a zero-latency alternative to all-or-nothing script blocking. Both types of emulation are far more cost-effective than routing all unknown files to a sandbox.

Dynamic code analysis, often called sandboxing,instantiates a fully operational runtime environment that is isolated to allow safe execution of potentially malicious code. All observed behaviors are logged or classified, including changes to the OS, files and registry entries. Full static code analysis is a natural and necessary complement to sandbox inspection, because it completely unpacks and reverse engineers a file’s source code, then parses and evaluates all attributes, instructions and runtime behaviors. This can reveal input-dependent behaviors and delayed or hidden execution paths that may not run during sandbox analysis.

2. Traffic behavior analyses identify and avenge malware attacks through behavioral anomalies in the traffic flows they create. These techniques correlate large volumes of network and endpoint events to extract faint threat signals from the background noise of normal network activity. In essence, they connect the dots between apparently random events. Three types of traffic behavior analytics should be present in a complete defense: network threat behavior analysis, endpoint intelligence, and advanced botnet detection.

Network threat behavior analysis is an in-network correlation engine that automatically models normal levels of application bandwidth consumption, host-to-host traffic, and encryption utilization, and then applies the models to identify subtle anomalies that reveal successful penetration. Endpoint intelligenceprovides similar insight into host-level behaviors by positively associating every network session with the originating system, user and application process. It leverages intelligence in the network and on every Windows host to reveal relationships between endpoint executables and network traffic flows, making it possible to identify and avenge malicious network connections and executables in near real-time with detailed process context for every attack.

Advanced botnet detection is a layer of traffic and network event correlation specifically dedicated to botnet security. It correlates multiple network alerts or anomalies and applies heuristics to reveal the true fingerprints of botnet infections.

3. Global reputation analysis, the final category of signature-less inspection,adds external context to local inspection and assessment. Our version, McAfee Global Threat Intelligence, is a comprehensive set of cloud-based services that provide real-time reputation insight on files, websites, and network connections. It collects and correlates threat data from more than one hundred million product nodes and from billions of IP addresses.

Beyond their various detection strategies, signature-less malware analytics are distinguished by their speed and computational requirements. Near real time techniques are best used on security controls at the network edge: firewalls and network gateways. Slightly more intensive inspections are appropriate for the intrusion prevention system and the special purpose modules that are often deployed with it. Finally, the most compute-intensive techniques—dynamic and full static code analysis—are best reserved for an out-of-line sandbox solution. Tight integration between security systems is essential to coordinate inspection and avoid redundancies.

To learn more about signature-less inspection techniques and how they are utilized in McAfee Network Security solutions, check out our white paper Secure Beyond the Signature


The post Stop More than the Usual Suspects (Blog 2 of 4) appeared first on McAfee.

Source: 4-2-golb-stcepsus-lausu-pots/ssenisub/moc.eefacm.sgolb

Read:3678 | Comments:0 | Tags:Business

“Stop More than the Usual Suspects (Blog 2 of 4)”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud