06. August 2021

The never-ending arms race between attackers and defenders


Insurance // When you look at the most famous cyberattacks of the past 20 years, a dramatic change can be seen in the last two to three years. At the same time, defensive tools have also evolved. Who is currently ahead of the game? A prototype being developed at FHNW is demonstrating where this development could be leading.

With the first computer malware (e.g. Code Red, 2001), attackers attempted to infect as many computers as possible. The motto was: The more, the better. In attacks which have a large-scale target, the tactics (aims of the attack), techniques and procedures – or TTPs for short – are quickly identified. Widespread attacks can usually be combated efficiently by performing a static analysis of the files, whereby antivirus programs look for characteristic byte sequences that indicate a known code sequence. Even as recently as 2017, attackers were able to attack large-scale infrastructures, including hospitals and transport systems (e.g. WannaCry). Updated antivirus programs now quickly provide signatures for detecting these kinds of attacks. This type of malware therefore has only a very limited time frame in which to actively spread. But attackers also react quickly and update their malware so that the signatures are continually changing. The result is a tiresome game of cat and mouse. Still, even though the signatures have been repeatedly changed, the techniques and procedures used have remained more or less the same over many years.

As a result, manufacturers of antivirus programs have been able to enhance their products – under the buzz phrase “behavior-based detection” – with tools that observe and analyze the dynamic behavior of software. There are two main approaches here: Either the dynamic behavior of processes is analyzed directly on the computers during operation (endpoint detection and response, or “EDR”) or you run the dubious software in a sandbox and observe what happens. “Intrusion detection” and “intrusion prevention” systems perform largely the same function: They analyze traffic and try to identify known patterns and behaviors. The table on the next page provides an overview of the most important tools and their functionalities.

Targeted, one-off attacks
For security officers, cyberattacks which specifically target individual companies are of far greater concern. A paradigm shift has taken place in the way that at-tackers operate: The aim now is to concentrate on a single target and avoid detection for as long as possible. Ideally the attacker withdraws without being detected at all. Preventing attacks like these is far more difficult, as both the signatures and the behavior of the malware being used can be continually changed. EDR systems currently appear to be the strongest defense against such attacks.

The Network Security research group at FHNW's Institute of Mobile and Distributed Systems is currently developing an EDR system for Windows, which is illustrated in the figure below.

A Windows kernel-mode driver is installed on the clients as a probe, which supplies information to a user-mode Windows service about processes that have been started, files that have been opened, network connections that have been established, and changes in the registry. The agent monitors the activities and makes decisions about whether an observed process should be classed as a threat. Operations that are classed as a threat can, where necessary, be notified to a central manager, which then isolates the afflicted client.
The main aim of an EDR system is to detect as much malware as possible without generating too many false alarms. One of the challenges of this is that even established commercial software performs actions which in themselves potentially pose a threat. This then raises the crucial question: How can you determine whether such actions are benign or whether they indicate an attack? The standard answer to this question would be to check your databases to see whether similar behavior has already been observed in a malware in the past. An alternative approach might be to prohibit all actions that could potentially pose a threat and allow exceptions for desired software.

Indirect attacks via a software supplier
The attack on the company SolarWinds, which was detected in December 2020 by the company FireEye, reached a new escalation level: Rather than the actual victim, it was a supplier that was attacked. In this instance, the attacker managed to implant a manipulated software development tool, affecting customers of the Orion platform from SolarWinds. The attackers thereby demonstrated that they were ahead of the game.

The EDR system prototype being developed at FHNW makes it possible to compile the tool individually and test different approaches. The following points are important:

  1. The decision as to whether a client needs to be isolated or not should be taken by looking ahead and not just back into the past.

  2. Such a sensitive tool must be as open as possible.

  3. It should be possible for decisions to be made locally.

The first point means a paradigm shift away from conventional malware detection towards policy-based decisions. The second point means that an EDR system must be an anchor of trust. The events surrounding the SolarWinds attack appear to bear out this approach.

Peter Gysel
Peter Gysel

Peter Gysel (dipl. Phys. ETH, Dr. sc. techn.) previously worked at Siemens and Ascom. He is currently Professor of Data Networks and Network Security at the University of Applied Sciences and Arts Northwestern Switzerland (FHNW). His main research focus is the protection of critical infrastructures.