Every day, an average of 450,000 new malware are designed to wreak havoc on businesses, governments, and average citizens. Aside from the financial implications of malware, the reputational damage for companies and the psychological impact on victims (especially with ransomware) are enough to scare anyone at the thought of dealing with a malware attack.
But it’s not all bad news! There is a way of protecting your devices and cyberspace with a proactive method. Malware detection works through various techniques and tools designed to screen, alert, and block malware from gaining access to any device.
These techniques will be the focus of this piece, as we’ll be walking you through the various types, their challenges, and why machine learning detection is now the most preferred option for malware detection.
What is malware detection?
Malware detection is the use of specific techniques and tools to identify and prevent malware from harming a system, network, or device. Shorthand for “malicious software”, malware encompasses a variety of types:
In fighting against these malicious agents, the conventional approach was installing anti-virus software, but not anymore. With the lack of cybersecurity professionals and increasingly sophisticated cybercriminals, organizations now rely on various techniques to keep their cyberspace and devices safe from malware attacks.
Malware detection is important to organizations for the following reasons:
- Cost-effectiveness. The time, resources, and efforts that would have been channeled to respond to a malware attack are saved and better utilized by investing in malware detection.
- Asset protection. Malware detection is a proactive method of keeping the data and information assets in your organization’s custody safe from malware like ransomware and spyware, which are notorious for hijacking data from victims.
- Threat intelligence. Malware detection also contributes to cyber threat intelligence by uncovering insights from vulnerabilities and threats within cyberspace.
- System integrity. Reducing your organization’s risk of a malware attack is one way of keeping your systems functioning optimally. This benefit, in turn, upholds your organization’s reputation of being trustworthy and secure.
Detecting Malware: common techniques
The following techniques are some of the tried-and-tested methods for identifying malware. We’ll also cover the limitations or challenges of these techniques.
Signature-based detection (SBD)
Signature-based detection works by identifying malware through its unique identifier, known as signatures, comparing it to an existing malware database, and eliminating it before infiltrating a system.
This is similar to how indicators of compromise and indicators of attack need to run through an up-to-date database to be verified. Conventional anti-virus software works with this technique, which is excellent at detecting adware, keyloggers, and specific ransomware.
Among the most effective traditional methods of detecting malware, it is hampered by its inability to keep up with the increased sophistication of malware attacks. The ingenuity cyber-criminals use to carry out their attacks has created malware that can be well-disguised to beat an organization’s defense plan and wreak havoc unnoticed.
Simply modifying an existing and known malware just slightly renders this method useless.
Also, its rigid approach gives room for lots of false positives. For instance, a file can have a suspicious identifier but still not be malicious enough to harm a system. But SBD will pick it out and alert the SOC.
Conversely, an identifier that bears no semblance to the existing malware in a system’s database can be granted access due to SBD. Hence, SOC analysts must frequently update and collate information from new sources to avoid giving access to malware.
Think of the place of the human DNA when investigating a crime. It provides forensic information but is useless if no previous data about a criminal’s activities exists.
Dynamic analysis detects malware by providing an isolated sandbox environment for the malware to run its code or script — without spreading and infecting the system. In the sandbox, dynamic analysis focuses on the behaviour of the malware to derive more information.
Dynamic analysis is no match for the deceptiveness of advanced malware and its evasion techniques. For instance: Certain malware are timer-based, allowing them to lay dormant in the sandbox for some time before launching when introduced into the system.
Also, code obfuscation poses challenges for dynamic analysis. Obfuscated code can hide malicious behavior, making it harder to detect during runtime analysis.
For instance, if a file has a value of 7425, its checksum will be 18, that is 7+4+2+5. Hence, the file's checksum before and after transmitting it has to add up to 18 for it to be deemed uncorrupt. This comparative approach involves calculating the numerical value of a data set or data types before and after gaining entry to a system or device and comparing the results to ensure a match.
Checksumming simply confirms whether the summation of the file value after transmission tallies with the pre-transmission value. However, the position of the numbers is just as important when determining the integrity of a file.
For example, a file can be 7621 before it enters a device and changes to 6451 inside the system. They both have identical checksums, but the file may have polymorphic malware hidden in it, making the numbers' positioning change inside the system.
So, checksumming is certainly not a foolproof way to detect malware.
Allowlisting grants access to only trusted files and blocks off unknown or suspicious files. This restrictive technique is based on the belief that malware can only exist in agents foreign to a system or network.
Allowlisting is not always effective:
- Even trusted files can introduce vulnerabilities into the system.
- As a restrictive and pre-emptive approach, it can slow down workflow within an organization.
Static analysis examines the properties of malware without executing it by analyzing the file type, size, hash, metadata, strings, imports, exports, and resources. In this method, you use tools to examine the structure of the malware, such as:
- source code analyzers
Some of the top static analysis tools include:
- PEStudio analyzes Windows executable files and reveals various indicators of maliciousness.
- VirusTotal is a web-based service that scans files and URLs with multiple antivirus engines.
- CFF Explorer allows you to view and edit the internal structure of Windows executable files.
Especially in light of more sophisticated malware inventions, this method is useless when used on malware that exhibits malicious behavior only when launched. So, with static analysis, malware might be certified as good-to-go until it is granted access to the host system, launches — and reveals its malicious nature.
Malware detection using machine learning
If you're close paying attention, you realize that the techniques above share one thing in common: they are used for detecting or filtering out known malware types. But how do SOC analysts keep up and protect their security system from the impact of advanced, deceitful, and unknown malicious software?
Well, that’s where Machine Learning detection comes in.
With conventional detection techniques failing to address the sophisticated malware types plaguing cyberspace, machine learning offers a more thorough approach to malware detection. This is because Machine Learning is an AI application that enables computers to learn from experience and improve the performance of specific tasks. It carries out malware detection on auto-pilot.
Its ability to access, analyze, and learn from large volumes of data allows it to detect malicious agents within a system more accurately, which is why an effective machine-learning model replaces the needs for most of the techniques mentioned above.
Here’s how it works:
Predictive and prescriptive analysis
ML models use predictive and prescriptive analytics that allow them to take feedback from the algorithms and intuitively update themselves for future purposes. This function enables it to fish out unknown and advanced malware variants. It also recommends strategies for fighting them, which malware analysts may be poorly equipped to handle.
Compare this to signature-based detection, which works only on known identifiers, leaving a system vulnerable to advanced threat actors that haven’t been identified or added to the database.
Automatic threat detection and response
The techniques described above can only go as far as threat detection, which is fine as they are designed for that purpose. But ML takes it further by detecting, analyzing, generating insights for the future — and eliminating the threat effectively.
This is worlds better than flagging, sending alerts, or sandboxing, all of which can overwhelm your SOC and security team, while still leaving loopholes for malware to capitalize on.
ML algorithms have higher chances of identifying, analyzing, and classifying data based on their threat levels. This is courtesy of the advanced static and dynamic analysis methods they employ when investigating harmful agents. This leads to fewer false positives, which are common with other techniques.
Using Splunk SIEM for malware detection
Among Splunk’s many security use cases, modern malware detection is built into Splunk Enterprise Security, our SIEM, in the form of security monitoring, advanced threat detection, threat hunting and more.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.