2011 was a landmark year to say the least, in terms of network security and the overall evolution of malware, and there are no indications that things will slow down anytime soon. In fact, we expect to see the following trends ramp up in 2012:
The Malware Arms Race Will Continue to Accelerate
While in 2011 the headlines were filled with the escapades of high profile groups such as Anonymous and LulzSec, it is the appearance of Stuxnet and Duqu that will likely have the most significant impact on security as we move into 2012. At the most basic level, the seemingly related code of Stuxnet and Duqu present a major technical leap forward in the sophistication of malware. The malware industry is obviously a very Darwinian crucible, where tactics that are seen to work in one type of malware are quickly pilfered and incorporated into other competing types of malware. With Duqu and Stuxnet the technical leap is so stark that it can’t help but be analyzed and emulated by other malware authors.
However, in the case of Stuxnet/Duqu, the “who” is just as important as the “what”. The very sophistication of Stuxnet implies that it was created by a much more sophisticated organization than we have seen from malware before. We have all witnessed the change in malware and intrusions over the past several years as “hackers” evolved from being individuals honing their skills and looking for fame into more sophisticated criminal enterprises. As the organizations behind malware continue to trend ever more sophisticated, one would have to assume that things will continue to get worse before they get better.
Controlling the Dark Side of Applications Will Become Essential
Modern malware is defined just as much by its communications as it is the actual infecting file. The vast majority of malware today is designed to remain resident on a host machine, provide repeated access for an attacker and remotely control the infected host. All of this means that the malware in question must be able to communicate repeatedly without being detected or arousing suspicion.
This also means that malware needs communications channels that can remain anonymous, or at least can hide from the prying eyes of security. Today this is being done by repurposing a variety of security technologies for the benefit of the malware, such as encrypting malware traffic to avoid inspection, using proxies or Tor to anonymize traffic, tunneling communications within accepted applications or using evasive tunneling applications.
These are incidentally many of the same techniques that employees have learned to leverage in order to avoid network security controls when looking to engage in non-corporate sanctioned application or web activity. As a result, it will be increasingly important for IT to be able to recognize and control these attempts to subvert security policy in much the same way they have learned to control peer-to-peer applications and social networking applications over the past few years. The truth is that if you can remove the ability for malware to communicate, you can typically take away a great deal of its power.
Sandbox Analysis of Malware Will Go Mainstream in Network Security
As discussed in the prior section, malware has become much more of a network-based animal than at any point in the past. This means that anti-malware technologies are no longer the sole domain of end-point security, and increasingly network security will have a critical role to play. As malware has become more sophisticated and adept at avoiding traditional anti-virus signatures using obfuscation techniques, dynamic code or simply designing custom malware that is unique to its target, IT teams have been forced to look for new techniques for finding and controlling malware.
Over the past year, we have seen a familiar anti-malware technology, the sandbox, find a new home in network security. This makes sense for a variety of reasons.
First, a sandbox provides an environment where a suspicious file can be executed to observe what it really does. This means IT can determine whether a file is a malicious or not, based on what it actually does, and not simply relying on whether it matches a signature that their AV vendor provided.
Secondly, integrating this technology into network security provides a centralized point of visibility where all traffic can be analyzed. Network security by design creates choke-points where traffic can be inspected without actually being an end-point in the conversation. This is incredibly powerful for anti-malware technologies, which are highly adept at owning one or both ends of a conversation. This sort of behavior-based sandbox analysis of malware is now being incorporated into high-throughput inline firewalls, allowing more and more IT teams to actually bring the technology out of the lab environment and put it in production. This will be a very timely addition to the IT security arsenal at a time when malware seems to be on the march.
These techniques of course won’t be a panacea for the problems facing IT and security managers today, but they will provide new types of visibility and control that security staff will need to have in order to keep pace with a changing threat landscape. If we can shine light on the covert channels where malware hide their communications, and detect malware based on their actual behavior then we, as an industry, will be able to see and control the fundamental building blocks of even the most advanced malware moving forward.
Going to San Francisco to RSA Conference 2012? Visit the Palo Alto Booths at #1638.
By Steve Gerrard, Marketing, Northern Europe for Palo Alto Networks