COMMENT
JUST AS YOUR IMMUNE SYSTEM CAN KEEP YOU
FROM BECOMING SICK BY IDENTIFYING AND
ATTACKING A VIRUS AS SOON AS IT ENTERS THE
BODY, SO TOO CAN THREAT HUNTING LIMIT OR EVEN
PREVENT DAMAGE FROM A MALICIOUS THREAT
the body is invaded by a new (cold)
virus it has never seen before. The
immune system doesn’t immediately
“recognise” the virus, and this gives it a
chance to grow – think “dwell time” in
cyber security parlance – and, at least
temporarily it overwhelms our immune
response. The result: we become sick.
In cyber security, we create databases of
known malicious software. We study their
“signatures” and use these to programme
antivirus, endpoint security and other
software to monitor for, isolate and
remove this malevolent software.
As already noted, however, today’s
advanced threats can be polymorphic,
so signature-based detection engines
www.intelligentcio.com
won’t work. They use code obfuscation
techniques and encryption at the
execution layer and network transport
layer to slip detection. The most
sophisticated malware is able to identify
and disable security software.
The response must be to adopt the
immune system’s proactive approach –
threat hunting. This involves continually
crawling through our network, looking at
traffic, documents, files, anomalies and
anything that shouldn’t be there.
But to address the increasing
polymorphism of malware, signature-
based antimalware solutions should
be combined with behaviour-defined
identification. This gives added
information by looking at network
flows and packet capture, in search of
operations that shouldn’t be happening.
This requires massive data processing
and smart algorithms to search the data
for predefined behavioural signatures
and certain types of unusual activity.
Ultimately, we are trying to sharply reduce
dwell time – which currently is measured
in hundreds of days. Just as your immune
system can keep you from becoming
sick by identifying and attacking a virus
as soon as it enters the body, so too
can threat hunting limit or even prevent
damage from a malicious threat.
There’s one additional aspect of the
human immune response that I’ve not
really addressed: that the body’s much-
valued immunity generally only comes
after you’ve been attacked by a virus
and been made ill.
That model won’t work in the case of
cyber security. We have to constantly
assess and create our immunities before
a new threat arises.
INTELLIGENTCIO
25