While discussing military strategy more than 200 years ago, George Washington offered some advice that modern-day cybersecurity professionals are now taking to heart. “Offensive operations,” he wrote in 1799, “are oftentimes the surest means of defense.”
For decades, network security has been a defensive process designed to minimize the damage from attacks after they’ve occurred. Today, many organizations are taking a more offensive approach, using advanced analytics, automation and other techniques to actively hunt for threats in order to neutralize them before an attack occurs.
The shift has become a necessity. The scale and frequency of today’s threats are making it nearly impossible to keep pace. It is estimated that 350,000 new malicious programs are identified every day, and total annual malware volumes have increased by an astonishing 1,500 percent over the past 10 years.
Evolving Threats Require New Approach
The events of the past two years have surely complicated cybersecurity efforts. The pandemic forced organizations to rapidly accelerate adoption of digital technologies to support mass numbers of remote workers. One consequence has been a dramatically expanded attack surface with millions of new access points for cyberattacks.
What’s more, cybercriminals are using a variety of advanced techniques to create highly sophisticated exploits that avoid detection by conventional security solutions. Some of the more effective methods include:
- Code injection. Hackers exploit input validation flaws to inject malicious code into legitimate software, which serves to camouflage the malware from antivirus products.
- Binding. Hackers attach malicious code to a legitimate program. Because the code isn’t actually injected into the software, the original app remains unmodified and doesn’t raise any red flags.
- Timing attacks. Malware authors can use multiple API functions to create sleep operations for their code. This allows the malware to remain dormant to avoid automatic scans, awaiting a trigger before launching its payload.
- Code obfuscation / morphing. Using an algorithm to change character strings, hackers can make their code virtually unreadable by antivirus solutions. The characters are then decoded when the code is executed.
- Malicious cryptograph. With stolen or forged SSL certificates, cybercriminals can encrypt malware to evade detection by firewalls and intrusion detection systems.
- Polymorphism. Malware authors use a program known as a polymorphic engine to create code that continually mutates while keeping the original algorithm intact. Essentially, the code changes every time it runs, altering identifiable characteristics such as file names or encryption keys to make itself unrecognizable to antivirus and anti-malware programs.
According to one study, 98 percent of new malware instances use at least one of these evasive tactics. A third of those are classified as “hyper-evasive,” using six or more techniques for evading detection.
Incremental Changes
Traditional defensive security measures such as firewalls, antivirus, antimalware, spam filters and threat monitoring remain essential elements of a comprehensive cybersecurity framework. However, organizations should make incremental enhancements to their existing security, including the incorporation of more proactive measures such as predictive analytics, penetration testing, intrusion prevention and vulnerability scanning.
Most important, companies should implement security systems with artificial intelligence (AI) and machine learning (ML) capabilities. With the capacity to rapidly analyze massive amounts of data, such systems can detect security threats in near real time. In some cases, they can actually predict attacks based on risk modeling. Additionally, AI and ML can automate many repetitive tasks, helping security teams keep pace with escalating attacks.
The theory behind Washington’s wartime philosophy is that strong, offensive actions will preoccupy the opposition and hinder its ability to mount an attack. That’s as true in today’s cyberwars as it is for any military action. We’ll take a closer look at specific proactive security measures in our next post.
