As threats are increasingly more sophisticated and targeted, traditional anti-virus detection is struggling to keep up. The traditional approach focuses on using fingerprint signatures of known malware to identify malware in the enterprise. This method of fingerprinting for detection is not only easily evaded, but it provides limited value to detecting targeted attacks against companies and emerging threats.
To combat this problem, Invincea developed a novel method for detecting and analyzing previously unknown malware and 0-day exploits. The advanced detection approach runs in conjunction with Invincea’s secure virtual container, which is used to isolate the operating system and user data from exploits against vulnerable applications. By running high-risk apps like web browsers in a secure container, no prior knowledge, including signatures and IOCs of threats is required in order to prevent their damage to the system and loss of data.
2. Meet the Presenter
Steve Taylor
Steve is a Principal Software Engineer at
Invincea who helped build the foundation for
Invincea’s innovative security solution. As an
employee since the company’s inception, he
designed and implemented major portions of
the product’s core architecture and malware
detection engine. The containerization platform
he helped develop is currently used by large
enterprises to protect against web-based
attacks, such as spear-phishing. He is named
on a provisional patent for his role in building a
behavior-based approach to detect and analyze
threats.
6. Malware Evolution (1980s – 1990s)
Mass Targeting Pinpoint
Targeting
High
Sophisticatio
n
Low
Script Kiddies
Lone Wolves
“Hacktivists”
Anti-Virus defenses
7. Malware Evolution (2000s)
Mass Targeting Pinpoint
Targeting
High
Sophisticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Anti-Virus defenses
Network Sandboxing
White Listing
8. Malware Evolution (circa 2010)
Mass Targeting Pinpoint
Targeting
High
Sophisticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Anti-Virus defenses
Network Sandboxing
Threat Curve
circa 2010
White Listing
9. 2014+ changing Threat Curve
Mass Targeting Pinpoint
Targeting
High
Sophisticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Anti-Virus defenses
Threat Curve
(today)
Takeaway:
Less advanced
adversaries now have
access to very
sophisticated
malware
Network Sandboxing
White Listing
10. New Defenses are Needed
Mass Targeting Pinpoint
Targeting
High
Sophisticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Anti-Virus defenses
Threat Curve
(today)
Advanced Endpoint
Protection
Network Sandboxing
White Listing
17. Using Virtual Container Architecture to
Cover the Largest Attack Surfaces
Invincea Communications
Interface
Secure Virtual Container
• Virtual File System
• Behavioral sensors
(process, file, network)
• Command and Control
• Forensic data capture
18. Using Virtual Container Architecture to
Cover the Largest Attack Surfaces
Contained Threats
Attacks against the browser, PDF
reader, Office suite are air-locked from
the host operating system. Detection, kill
and forensic capture occurs inside the
secure virtual container.
Detection
Containerized application behavior is
meticulously whitelisted. Any deviation
from known behavior is immediately
flagged as suspicious.
This means no signatures are required
and 0-day threat detection is realized.
19. Using Virtual Container Architecture to
Cover the Largest Attack Surfaces
Malware Killed & Collected
• Virtual File System
• IOCs
• Command and Control
• Forensic data capture
22. • Each app has a profile of
possible behaviors
• Behavior that deviates
from expected is a likely
IOC
• Malware will create
artifacts as it executes
including file system,
registry, in-memory, and
network activities
• These artifacts are
triggers to start collecting
intel and alert the user
How Detection Works
23. Malware-Free Intrusion IOCs
• Unexpected process
launches
• Dropping and
launching processes
• Code injection into
running processes
• Loading modules
reflectively in memory
• Loading modules from
the network
• …
24. Leveraging Containerization
For Behavioral Detection
• Behavioral detection
traditionally tricky
– Hard to define expected
behaviors for the entire
system
• Only behaviors of
contained apps need to
be mapped
• The container is a
controlled environment
with predictable
outcomes
25. The Source of Attack
• Attribute any source
website or document
• Any iframes embedded
in the website are
traced
• Links/Documents
opened in Outlook that
lead to a detection are
indicators of spear
phishing
26. Collecting Intel
• All activity from suspect processes is collected
– File/registry/network/execution
• Execution and code injections are traced to filter only
behaviors stemming from the attack
• Process and network metadata is gathered