Cyber Security Mini Deep Dive: Context in Cybersecurity
With the rising tide of targeted attacks like WastedLocker, blocking malware payloads from common attack vectors is often not enough. Modern threats focus more and more on the use of legitimate tools or overwhelming obfuscation to thwart AV engines. A desperate attempt to detect such files has resulted in legitimate files now being flagged by over 20 engines on VirusTotal. Furthermore, attackers often hack into their targeted victims first, thereby preventing any normal detection mechanisms from ever coming into play.
As threats continue to evolve, our research indicates it is likely that context will be an important part of the detection process. After all, data encryption and mining are legitimate activities. However, when carried out by a malicious actor, ransomware and crypto-miners become a potent threat. This has even caused legislators to consider restrictions on certain technologies like encryption, which is unlikely to be a productive approach. This is likely an extremely interesting area of academic research, as a deeply technical problem.
We have found that using the context of the application's execution, with active dynamic analysis, to be extremely helpful in determining intent - a key factor that distinguishes malware from harmless, albeit difficult to analyse files. For instance, screenshots combined with data from window handles can tell us if an application is telling the user what it wants to do or attempting to do it silently. Such systems can be cloud-hosted or local, and with a bit of training, automated decision-making processes could be introduced that better understand the user's interaction with a suspicious application. While this does raise further privacy concerns and calls for responsible handling of user data by security applications, it could be the next inevitable step for anti-malware and anti-virus programs.
We are striving to include such paradigms in our testing approach as well as tools like Mal X, that will hopefully help users proactively protect themselves against future zero-day attacks.