Endpoint Detection and Response
New threat patterns require a different approach. Zero day attacks, ransomware, and fileless threats all elude the antivirus solutions your customers rely on. Take threat protection to the next level with Endpoint Detection and Response, which uses AI to stay one step ahead of the next cyberattack.
- We provide real-time, automated protection against evolving threats at each endpoint.
- We harness AI engines to provide static and behavioral analysis on new threat patterns.
- We use machine learning to evolve threat responses.
Five Cyberthreats that Slip Past Traditional Antivirus
Many traditional antivirus (AV) programs operate on signatures. As malicious software is discovered, a signature describing the file is generated, added to a database, then the database gets pushed out to the customer base. If the antivirus discovers a file on your machine that matches a signature, that file gets quarantined and/or removed. By December 2018, malware was being discovered at an alarming rate of 350,000 new threats per day. With that number continuing to rise, signature-based AV solutions
Polymorphic Malware
As mentioned in the introduction, many traditional AV programs rely on signature-based
detection. This involves comparing a file against a known entry, otherwise known as a signature, in a database of known threats. This style of protection has some flaws. First, the AV user must have the most recent list of signatures, requiring frequent updates on their part. If that user hasn’t kept their virus definitions current, they’ll be defenseless against newer files. Beyond that, this method of protection is purely reactive. The AV company must know about the signature before it can
flag it to their user base, and malware often uses evasion techniques to avoid detection by AV companies. The key flaw here is there’s often a knowledge or time gap in coverage. Polymorphic malware
was designed to exploit this flaw. If, for example, the malware gets detected by an AV program, it will regenerate itself using new characteristics that do not match known signatures. This makes it hard for signature-based AV to truly put a stop to the infection. Additionally, there are roughly 350,000 new malware variants created each day5. This ensures those using signature-based AV will almost always be catching up.
Weaponized Documents
commands or download executables to compromise the devices and networks they access. Hackers often use embedded scripts to execute PowerShell® commands, and since PowerShell is built-in to the Windows® operating system, these attacks can damage endpoints and even entire networks. However, PDFs aren’t the only vulnerable file types—XML-based documents, HTML, and Office® documents often carry these malicious scripts hidden within them. An AV solution based on comparing executable signatures will miss weaponized documents because it will scan only the initial document, not the malicious code the document launches.
Browser Drive-By Downloads
Drive-by downloads are files downloaded to the endpoint using vulnerabilities in the browser or a browser add-in. By doing this, the file downloads, and the user and AV program are none the wiser. The download could come from a legitimate website with a compromised script or
ad service, or it could be a malicious website specifically set up to initiate the download. These attacks start with email or social phishing, email attachments, or well-disguised pop-up links to lure users to a website. Criminals then leverage exploits in browsers or plugins to download malware and begin the attack. Once this is complete, the criminal can start doing damage—whether that involves installing a cryptominer, a remote access trojan, or ransomware.
Fileless Attacks
Drive-by downloads are files downloaded to the endpoint using vulnerabilities in the browser or a browser add-in. By doing this, the file downloads, and the user and AV program are none the wiser. The download could come from a legitimate website with a compromised script or
ad service, or it could be a malicious website specifically set up to initiate the download. These attacks start with email or social phishing, email attachments, or well-disguised pop-up links to lure users to a website. Criminals then leverage exploits in browsers or plugins to download malware and begin the attack. Once this is complete, the criminal can start doing damage—whether that involves installing a cryptominer, a remote access trojan, or ransomware.
Obfuscated Malware
AV companies use several methods for discovering malware. One
common discovery method involves executing files in sandbox environments and observing for
malicious behavior. Another common discovery method involves scanning the code for common
signs of malicious intent.
Cybercriminals have found ways around this. In the same way security professionals put up defenses to protect their data and assets, hackers also have ways of protecting the malicious payload within a piece of malware. Newer malware will detect a sandbox environment and remain benign in the sandbox environment, only to attack in a live setting. This can make it impossible for the AV to detect behavioral methods while in the sandbox environment.
Another method to circumvent AV involves “packers,” which use either encryption or compression to prevent someone from seeing within the file. Additionally, malware creators may
wrap the malicious code within benign code within a file to hide the bad code.
Any of these techniques make it hard for security researchers to detect (and understand) these malicious files to begin with. Further, if you use an antivirus program using heuristic scans within a sandbox environment, these techniques help the malware evade detection before it
goes live on a machine.