WOWWW - News

Defeating Malware With Its Own DNA

2016-11-14
It's widely known that human DNA evidence has had a major impact in the criminal justice system. Now another kind of DNA may have a similar impact in the fight to eradicate malicious software.

malware
Malware DNA, also known as "malware provenance," is the art and science of attributing elements of one object to another object. The technique has applications outside information security -- for example, in genetics, or to test the authorship of student papers.

One way malware writers avoid detection of their programs is to craft polymorphic attacks. They dynamically change the code in their malware just enough to confound antivirus programs. Provenance counters that technique by identifying the amount of similar code in a program, or its "DNA."

Every malware variant has an immutable part derived from its predecessors all the way back to its original malware family. For example, CryptoWall 3.0 shares the same genome with CryptoWall and the previous CryptoDefense.

The technique is not only very accurate, but also very fast. It can identify malware at machine language speeds and even detect zero day malware -- that is, previously unseen malicious programs.

Stacks of Band-Aids

Up to now, malware fighters have been struggling to stem the tide of malware crashing over their systems, noted Igor Volovich, CEO of Romad Cyber Systems.

"We've got stacks of Band-Aids," he told TechNewsWorld. "We keep adding more and more bandages, and we stop the bleeding for a while, but we never really fix the root cause."

The information security for years has focused on preventing infections, but that's proving to be inadequate in today's threat landscape.

"We've got to respond," Volovich said. "That's why now you see things like threat hunting, trying to decrease the dwell time an attacker spends inside your network from the current average of 266 days to a few days or hours."

The next evolution in cyberdefense will be to disrupt an attacker's ability to do what they do and do it at scale, globally and consistently, he explained. "Unfortunately, none of the solutions that have been offered by the industry over all these years have been able to do that in any meaningful way."

Eradicating Malware

That can change with the use of provenance. With it, even zero day malware -- malware previously unseen by security researchers -- can be stopped in its tracks.

"In reality, all zero day malware is a variance of previously seen malware," said Arun Lakhotia, a professor of computer science at the University of Louisiana at Lafayette.

"They're mostly not new malware code -- they're mostly variations of previous malware," he told TechNewsWorld. "Writing new software takes up time and money so malware authors don't write new software every day, so most malware is a variant of a previous version."

That's where genetics enters the picture. Each variant is like the child of a parent. Just as paternity can be identified with biological DNA, so can malware paternity be identified with coding DNA.

Because it's expensive to write new malware code, provenance can hurt criminals where it hurts the most -- the wallet -- because they won't be able to reuse their malicious code so freely.

"If we can disrupt what they're doing through economic means without having to throw them in jail, we can eradicate malware as we know it," Volovich said.

DevOps Security Shortcomings

DevOps is a means for delivering applications faster. It also has the potential to create more secure apps, although a recent study by Hewlett Packard Enterprise Security found organizations are far from tapping into that potential at the moment.

Everybody believes that security should be an integral part of DevOps and that their DevOps transformations actually will make them more secure, notes the study. However, very few DevOps programs actually have included security as part of the process, since it's a much lower priority than speed and innovation.

"The reality is that there isn't a lot of security happening within DevOps," said Maria Bledsoe, director of product marketing at HPE Security.

"While 99 percent of people believe DevOps is a security opportunity, only about 20 percent actually use application security within DevOps," she told TechNewsWorld.

If that situation persists, the study warns, conditions could worsen in DevOps environments, because silos still exist between development and security.

Security Silos

Indeed, HPE found that one of the key factors impeding security adoption in DevOps is insulation of security from the process.

"While people believe that security should be embedded, they're really not bringing security people into the conversation when they're talking about software development," Bledsoe said. "It's oftentimes an afterthought."

That was evident in the HPE report's findings. When organizations using DevOps were asked how they were protecting applications, the overwhelming majority cited security practices and controls downstream in the development process -- practices like penetration testing and network security.

What's more, nearly one in five of the outfits (17 percent) admitted they're not using any technologies to protect their apps.

Security Engineer's Worse Nightmare

The problem is not just that security teams are screened from the development cycle, but also that development teams are screened from the security process.

"There's no feedback loop. If something major is found, an email blast goes out to a bunch of people and everyone starts running around and yelling the house is on fire," Bledsoe said.

"The majority of the time, nothing actually happens," she continued. "They rely on network or perimeter security instead of patching. That's why, without proper planning, DevOps can be a security engineer's worse nightmare."