As if cyber-defense wasn’t difficult enough – try battling malware that constantly changes its identifiable features in order to evade detection. Polymorphic malware isn’t new; the first polymorphic virus dates back to 1989. But fast-changing polymorphic malware now makes up 97% of the malware organizations face – updating itself with new definitions every few days, mutating faster than traditional security systems can keep up and making previous detection signatures obsolete.
There are two factors to consider when considering your security posture; clearly a solid EDR solution must be a top priority, as well as network-based monitoring tools and anomaly detection capabilities. As with so many tools and solutions in the security market today, we are compelled to say “buyer beware” … just because something is using a popular acronym doesn’t mean it has the underlying capabilities to successfully detect or defend against polymorphism.
To defend against polymorphic attack malware, a company must take a layered approach to security that includes the endpoint as well as the network. In today’s blog, we focus on the network – and three strategies for protecting against polymorphic malware.
- Network-based protection: Changing your IP addresses. This process of constantly changing your IP addresses provides a moving target that will make an attack more difficult for adversaries. However, if you’re continuously changing the IP addresses of your hosts, you’ll need a DNS system that can quickly link your users to the appropriate servers while also routing traffic in a way that doesn’t impact your business. As a result, you’re left with a large amount of trailing automation to develop and build. And dynamic DNS only partially addresses this.
- Host-based protection: Changing your hostname or other identifying characteristics of the endpoint. This involves updating your hostname or other endpoint identifiers such as the Mac address, as well as the hardware-specific information about that host and the software-specific information. If an adversary is inside your network collecting information to try and determine the location of your crown jewels, once the IP address has been modified, it’s tough for them to reacquire it. They have to start a new reconnaissance process, giving you a significant time advantage and more time to identify them.
- Application-based protection: Recompiling code and / or randomly changing memory locations of executables. Given the complex process involved to recompile code, we see the majority of businesses resorting to a focus on memory management rather than letting the standard memory management of the platform or software development stack do what it does. This involves manually or explicitly managing memory allocation and usage and consumption in order to move memory around. If a malicious system captures memory chunks and attempts to read data, its memory location changes. While tedious, this strategy can also give the “good guys” a time advantage – when the memory location changes – the adversary needs to re-start their reconnaissance.
For many organizations, this might seem daunting. The requisite staff, expertise, training and tools to combat these complex issues can be overly burdensome – and cyberadversaries are absolutely banking on the fact that most businesses simply can’t keep up with the pace of change.
DataEndure’s suite of managed security services protect organizations with users across 24 countries and three continents – and can help you protect your business from polymorphic attacks. And with our rapid deployment, you can boost your security posture in weeks not months. Our complimentary Security Health Check is a great place to start, identifying potential weaknesses in your network and giving you the insight and opportunity to strengthen your defenses before a potentially crippling attack occurs.