Skip to main content

Cyber Security Mini Deep Dive: Context in Cybersecurity

Rohit Satpathy

With the rising tide of targeted attacks like WastedLocker, blocking malware payloads from common attack vectors is often not enough. Modern threats focus more and more on the use of legitimate tools or overwhelming obfuscation to thwart AV engines. A desperate attempt to detect such files has resulted in legitimate files now being flagged by over 20 engines on VirusTotal. Furthermore, attackers often hack into their targeted victims first, thereby preventing any normal detection mechanisms from ever coming into play.

As threats continue to evolve, our research indicates it is likely that context will be an important part of the detection process. After all, data encryption and mining are legitimate activities. However, when carried out by a malicious actor, ransomware and crypto-miners become a potent threat. This has even caused legislators to consider restrictions on certain technologies like encryption, which is unlikely to be a productive approach. This is likely an extremely interesting area of academic research, as a deeply technical problem.

We have found that using the context of the application's execution, with active dynamic analysis, to be extremely helpful in determining intent - a key factor that distinguishes malware from harmless, albeit difficult to analyse files. For instance, screenshots combined with data from window handles can tell us if an application is telling the user what it wants to do or attempting to do it silently. Such systems can be cloud-hosted or local, and with a bit of training, automated decision-making processes could be introduced that better understand the user's interaction with a suspicious application. While this does raise further privacy concerns and calls for responsible handling of user data by security applications, it could be the next inevitable step for anti-malware and anti-virus programs.

We are striving to include such paradigms in our testing approach as well as tools like Mal X, that will hopefully help users proactively protect themselves against future zero-day attacks.

 

MS Teams Link

Speaker bio

Rohit, better known as 'Leo' online, is a cybersecurity professional, consultant and the founder of The PC Security Channel, one of the most popular cybersecurity channels on YouTube, and a trusted source for anti-virus tests and product reviews, viewed millions of times each year. Rohit helps small and large enterprises make informed decisions about cybersecurity and consults with technology vendors to help improve their products. In his free time he enjoys engaging with his community on Discord, playing games, and gliding at nearby airfields. He has a specific interest in cybersecurity research, artificial intelligence, threat analysis and testing frameworks.

Share this: