Advanced Malware Protection vs traditional Antivirus technology
How threat detection has evolved to deal with a new generation of polymorphic and metamorphic malware
What is Advanced Malware?
The goal of advanced malware is generally to penetrate a system and avoid detection. Usually, it has a specific target, often an organisation or enterprise, with the objective of financial gain, for example ransomware. It may also target similar organisations within the same sector. Advanced malware can take the form of common malware that has been modified to increase its capability to infect.
After being loaded onto a computer system, advanced malware can self-replicate and insert itself into other programs or files, infecting them in the process. It can even remain inactive for a period of time. Additionally, advanced malware can test for sandbox conditions intended to block malicious files and attempt to deceive security software into concluding that it is not malware.
The damage from advanced malware breaches can range from losing a single endpoint (say a PC or server) to incapacitating an entire IT infrastructure, resulting in loss of productivity for employees and potentially interrupting customer services, product sales, and support.
Ransomware
Ransomware is a particularly nasty type of malware that encrypts the victim's files, rendering them inaccessible until a ransom is paid to the attacker. It is a growing threat that has caused significant financial and operational damage to organisations worldwide.
Once ransomware infects a system, it begins encrypting files, making them unreadable without the decryption key held by the attacker. The victim is then presented with a ransom note, typically demanding payment in cryptocurrency, in exchange for the decryption key.
Ransomware attacks can have severe consequences for businesses. They can result in data loss, operational downtime, financial loss, and damage to a company's reputation. In some cases, organisations are unable to recover their data even after paying the ransom.
By implementing proactive security measures and adopting a comprehensive backup strategy, organisations can better protect themselves against this growing menace.
Signature detection
Traditional antivirus (AV) software relies heavily upon detecting the signature, or binary pattern, of a virus to identify and prevent damage from malware. This method involves comparing the signature of a file or program to a database of known malware signatures. If a match is found, the antivirus software blocks the file or program from running.
The main limitation of this method as that it can only detect and block malware threats that have already been identified. But most malware authors stay a step ahead of such software by writing oligomorphic, polymorphic, and more recently metamorphic viruses, which use obfuscation techniques such as encrypting parts of themselves or otherwise modify themselves so as to not match signatures in the virus database.
Heuristic detection
By around 2013, the security industry's focus had shifted toward signature-less approaches to antivirus protection, because traditional antivirus solutions were struggling to accurately detect low-prevalence threats and day-zero attacks.
A day-zero attack is an attack that exploits a vulnerability that has not yet been discovered or patched. Such attacks can be particularly dangerous because they can be launched against targets without warning and can cause significant damage before a patch is released.
Advanced Malware Protection (AMP) takes a more proactive approach to threat detection and prevention. AMP uses machine learning and behaviour-based analysis, sometimes referred to as heuristics, to identify and block both known and unknown threats in real-time. This technology can also isolate and contain infected devices to prevent the spread of malware throughout a network. AMP's machine learning algorithms can identify and analyse patterns of behaviour that are indicative of malware, even if it does not have a signature in the database.
In simple terms, if it behaves like malware, AMP assumes it’s malware.
Examples of malware-like behaviours might include attempting to modify system files, attempting to access sensitive data, or exhibiting network traffic patterns that are characteristic of malware. AMP can also identify and block malware that uses advanced evasion techniques to avoid detection, such as obfuscation and encryption.
Heuristics can be particularly effective at detecting and blocking zero-day attacks and attacks that do not involve a malicious file being downloaded to the device. It can also identify and block malware that uses legitimate applications as a vector for attack. This includes malware that exploits vulnerabilities in commonly used applications such as Adobe Reader or Microsoft Office.
A potential limitation of heuristics is that it can generate false positives, which are alerts that indicate the presence of malware when there is none. This can be a problem for organisations, as it can lead to unnecessary disruption and additional work for security teams. However, the overall effectiveness of heuristics in detecting and blocking potential threats makes it an invaluable tool in the fight against malware.
In summary, by analysing the behaviour of files and programs, AMP can identify and block threats that may be missed by traditional antivirus technology.
Cisco Secure Endpoint
Cisco Systems, Inc. is a leading provider of security solutions and has played a pivotal role in advancing the field of cybersecurity. With its innovative technologies and comprehensive approach to security, Cisco has established itself as a trusted name in the industry.
Stopping threats at the earliest possible moment minimises damage to endpoints and reduces downtime after a breach. Cisco Secure Endpoint (formerly known as AMP for Endpoints) utilises a robust set of preventative technologies to stop malware in real-time: -
Antivirus: Secure Endpoint includes constantly updated, definition-based antivirus engines for both Windows and Mac or Linux endpoints. All endpoints benefit from custom signature-based detection, allowing administrators to deliver robust control capabilities and enforce blocklists. The antivirus signature database resides locally on each endpoint, meaning it does not rely on cloud connectivity to operate. This ensures that your endpoints are protected both on- and offline.
File reputation: Secure Endpoint maintains a comprehensive database of every file that has ever been seen and a corresponding good or bad disposition. As a result, known malware is quickly and easily quarantined at the point of entry without any processor-intensive scanning.
Polymorphic malware detection: Malware actors frequently create multiple versions of the same malware to evade common detection techniques. Secure Endpoint has the capability to detect these variants, known as polymorphic malware, through loose fingerprinting. Loose fingerprinting involves searching for similarities between the suspicious file's content and the content of known malware families. If a significant match is found, the file is flagged as malicious.
Machine learning analysis: Secure Endpoint analyses the attributes of known malware and uses algorithmic learning to train itself how to identify malicious files and activity. It’s machine learning capabilities are enhanced by using the extensive data set from Cisco Talos to improve the accuracy of its models. By combining these machine learning techniques, Secure Endpoint can effectively detect previously unknown malware at the point of entry.
Exploit prevention: Memory attacks can penetrate endpoints, and malware evades security defences by exploiting vulnerabilities in applications and operating system processes. The exploit prevention feature protects endpoints from exploit-based memory injection attacks.
Script protection: Secure Endpoint enhances visibility into the trajectory of scripts executing on endpoints and helps protect against script-based attacks commonly used by malware. It provides additional protection through script control, which allows the Exploit Prevention engine to block the loading of certain DLLs by commonly exploited desktop applications and their child processes.
Behavioural protection: Secure Endpoint continuously monitors user and endpoint activity to provide real-time protection against malicious behaviour. It does this by comparing a stream of activity records to a constantly updated set of attack activity patterns. This allows for granular control and protection against the malicious use of living-off-the-land tools.
Device Control: Secure Endpoint allows administrators to manage the usage of USB mass storage devices and protect against attacks from these devices. They can review device connect/disconnect events and access violation events, and use the API to manage device control configurations and rules, among other features. They can also define the default behaviour when devices are connected.
Cisco Talos
Like other Cisco security products, Secure Endpoint benefits from the latest threat intelligence from Cisco Talos, one of the largest commercial threat intelligence teams in the world.
Talos provides Secure Endpoint with up-to-date information on the latest malware and threat activities, so it can detect and block new and emerging threats quickly. This real-time threat intelligence is critical for effective endpoint security, as threats can appear and evolve rapidly.
In addition to providing threat intelligence, Talos also works closely with the Secure Endpoint development team. This relationship is a critical aspect of the solution's continuing effectiveness.
How to use AMP
It’s important to understand that no single product or technology, however good, can protect against all types of threat, and therefore AMP is most effective when integrated into a broader security strategy. Organisations should implement a multi-layered security approach that includes other security controls such as firewalls, intrusion detection systems, dns-layer security and secure email gateways. It’s also essential to keep your software up to date and apply security patches as they become available.
It’s this combination of layered security measures and good housekeeping that provides true defence-in-depth, reducing the risk of a successful malware attack. Still, by incorporating AMP as part of this broader security strategy, organisations can significantly enhance their overall cybersecurity posture.
Summary
In comparison to traditional antivirus technology, and for a similar cost, AMP provides a much more robust and comprehensive approach to cybersecurity.
While traditional antivirus technology has been the standard for many years, it is no longer enough to protect organisations from the increasing threat of malware. By using Advanced Malware Protection as part of a broader security strategy, organisations can safeguard their networks and data from potential attacks.
We can offer a free demo of Cisco Secure Endpoint
For more information please call +44 1226 761188 or email [email protected]
Cisco, Cisco Secure Endpoint, Cisco AMP for Endpoints and Cisco Talos are trade names of Cisco Systems, Inc.