Everything You Need to Know About Next-Gen Endpoint Security

It sounds like yet another marketing slogan: “Next-Gen Endpoint security”. Of course it's a marketing slogan, but it’s also much more than that! The online threat landscape is changing. Recently there has been a lot of furore surrounding ransomware, exploits and signatureless antivirus because of the enormous increase in zero day malware. The new innovative technologies used by hackers to infect systems require a different approach to avoid infection. This makes Next-gen endpoint security the new standard. In this blog our expert Roël Bouman tells you why.

An article by Roël Bouman, Solution Advisor Security at COMPAREX

Roël Bouman, Solution Advisor at COMPAREX

Roël Bouman

Traditional Endpoint security

We all know the “traditional antivirus” or “Endpoint Protection”, based on what we know. Files that are known to contain malware are blacklisted via a signature so the file can be recognized. As soon as a new file is found it can be recognized and blocked by means of a scan. These solutions rely completely on the threat intelligence of the manufacturer and the regularity with which the Endpoint Protection solution is updated. Because more than a million new viruses, zero day malware, are spread every day it is extremely difficult to remain up-to-date.

New security threats

The IT landscape continues to change rapidly and so do the associated security measures. 2016 was a year full of phishing, malware, spyware and zero-days but more specifically it was the year of exploits and ransomware. This continued to be a major issue in 2017 as well, with the spread of WannaCry and PETYA ransomware. Many security manufacturers have trouble detecting and blocking these threats until such time as the virus definition is recognized and a signature is available. Why is that?

New threats come in via exploits. Exploits use an updated killchain compared to traditional malware. This new killchain is successful because it is a lot more complex. Once again the endpoint is the focal point. We're dealing with devices that are not linked to the network and consequently don't have optimum security behind a firewall or gateway. We see that because of the new technologies used by hackers and the greater number of steps they use, the endpoint security becomes increasingly important. This latest killchain looks as follows:

Typical workflow of a hacker

Today’s hackers work “smarter” and their hacks comprise many more steps than before.
 
#1 Research

In the research phase a hacker’s target is comprehensively investigated, for example by checking out social media. This is also called “social engineering”. Because nearly everyone uses social media this is an excellent means of obtaining information for hackers as well.

#2 Phishing

After the target has been investigated a phishing campaign is developed. This is sent to an individual, an organization or even a sector. Increasingly, hackers use spear phishing, where the e-mail is completely tailored to the target. This significantly increases the chances of success.

#3 Redirect

In the phishing e-mail the target is induced to click on a link. The customer, often because other websites are opened behind a legitimate website, ends up on the page of a hacker. This doesn't even have to be visible.

#4 Exploit-kit

From his website the hacker starts a scan via an exploit kit. This scan determines the weaknesses of the target’s system. This may be an old version of Java, Adobe or Office.

#5 Dropper file

The hacker utilizes a weakness in the target system to get in. They do this by sending a dropper file. Because the dropper file is sent to the system via an SSL connection of the hacker, things like firewalls have trouble intercepting it.

#6 Call Home

The dropper file communicates back to the server of the hacker, also called the command & control server. This way the hacker knows that his break-in was successful and he can now take over the system via scripting. This uses a lot of technologies that provide access to the memory or root-rights, for example. Because this is done through a legitimate application it is not recognized. Some of these technologies are: Heap spray, SEHOP, Stack Pivot and DLL Hijacking.

#7 Data Theft

The final step is the phase in which the hacker achieves his objective. This objective may be stealing data, activating ransomware or logging all the activities in the system, so functioning as spyware.

Phishing

Phishing is an old technology that started with e-mails from the “Nigerian Prince” asking the recipient to send money. These days phishing is still highly effective. We get to see many phishing e-mails and they look extremely professional, so we can hardly blame users for clicking on these links. We think that phishing will continue to be a highly effective and important channel for hackers to penetrate a system or network.

Ransomware

Ransomware is an important example of malware that often starts with phishing. With the arrival of Bitcoins ransomware has really taken off, because of the untraceable flow of money associated with them. Bitcoins are easy to obtain but it is impossible to find out who they are being paid to. Bitcoins, combined with the increase in value and importance of data, makes encrypting a system and demanding a ransom for the return of the data highly lucrative. The combination of exploits and the quantity of malware samples (including ransomware samples) versus old technologies like signature-based antivirus makes ransomware extremely successful. This makes “next-gen” technologies a must.

Next-gen endpoint technologies

There are several current trends in the security market that respond to the various new threats. We observe that the endpoint is the focal point in the new attack approach of hackers. As a result there is a lot of development in the new technologies that are applied specifically to the endpoint. It is noticeable that none of these technologies uses signatures any longer. Below is a summary of the prevailing new technologies in the market.

First of all there is behavioural analysis. This looks at applications and which processes they start up and, consequently, the actual behaviour they display. For example, it isn't logical if Adobe or Office are used to view other files that have no relation to the software package in question. By using this technology people can respond to hackers who will use an exploit to misuse a familiar application.

Traffic detection is capable of recognizing Command & Control traffic from an Endpoint agent. This technology responds to Phase 6 from the aforementioned killchain, the call home phase. This module recognizes and blocks the communication from a dropper file to the hacker, in which the hacker is notified that the file has successfully infiltrated the system. As a result the hacker is unable to follow up via the aforementioned scripting.

Exploit mitigation is the technology that recognizes the script technologies of a hacker. So far, approximately 25 of these scripts technologies are known. By recognizing these technologies exploit mitigators are able to block them. This stops the hacker from acquiring full rights to the system. Exploit mitigators do not depend on signatures because the different scripting technologies of a hacker rarely increase. This means this technology has virtually no need for updates.

Machine learning is the current buzzword of all suppliers referring to themselves as “next-gen”. The term is actively used in the communication of the different manufacturers. This also causes a lot of confusion about the actual meaning of the term.

When a second device benefits from the knowledge acquired by a first device, for example because a virus was found on this device, this is already referred to as machine learning. This is what every signature-based virus does in every instance. In that case a virus is found somewhere in the world and it is patched. A new signature is then published so the other systems will recognize the virus instantly.

Deep learning

To differentiate between the term machine learning, and the innovative technology behind it, and the technology that has always existed, we now talk about deep learning. When deep learning is applied signatures are superfluous. This is where the term signatureless antivirus comes from. A deep learning agent is independently capable of recognizing viruses, even if they have never been found previously. This is a complex process and it is most easily explained using the following example:

Deep Learning example
Source: reddit

The picture shows both dogs and bagels. In the past it was impossible for a computer to see the differences between the pictures. By teaching a system which image represents a dog and which image represents a bagel the system can recognize this. Deep learning technologies have changed this.

Deep learning no longer needs an exact example to recognize a file but, utilizing knowledge about the characteristics of a dog versus characteristics of a bagel, can independently determine what category the picture falls in. With deep learning a computer can determine for itself that a picture in which a snout, ears, a kind of fur, legs and a tail can be seen isn't a bagel but a dog. It works the same way for recognizing malware. This looks as follows:

Malware recognition workflow

By combining a huge quantity of data and knowledge about the characteristics of malware with a huge quantity of data and knowledge about the characteristics of “non-malware” an agent is created that is independently capable of recognizing malware and subsequently making decisions about it.

Deep learning may appear simple, but it is a very complex technology. This technology is highly dependent on the knowledge about malware and non-malware. Deep learning agents that have been insufficiently trained because not enough big data was used will give a lot of false positives because the agent was not capable of making the right choices. This makes deep learning as powerful as the knowledge hidden behind it.

Conclusion

The threat landscape has changed. Once again the endpoint is becoming increasingly important. We observe that hackers go through many more steps to be successful and use an updated kill chain to do so. A comprehensive orientation phase in which social media plays an important role, as well as spear phishing tailored to the target make the attacks a lot more credible. The tools that are subsequently utilized were clearly developed to circumvent existing security measures and include exploits, zero day malware, scripting and SSL connections.

The combination of these new techniques requires a new approach in the security strategy. It is important that the new tools, in particular, are recognized. Next-gen endpoint security is not an empty marketing slogan - it definitely adds the new security approaches that help to protect against these threats. However, there is still a significant difference in the quality of the various next-gen solutions. The biggest differences are in the smallest details. A sound quality evaluation is extremely important when choosing optimal endpoint security.

Do you want to know more?

If, based on this information, you have questions about endpoint security or other security approaches our experts will be happy to advise you.

 Get in touch with us

Leipzig, 04.04.2018

Stay Up-to-date

For regular updates and articles from COMPAREX, click below to follow us:

 Follow us on LinkedIn

 Follow us on Twitter

Archive

Get an overview of all published blog articles of the past months.

 Read more

Share this Article

Leave a Comment

Do you have a question or remark on this article you want to share with us?
 Post it here.