If signatures in cybersecurity are like fingerprints in a criminal investigation, behavioral detection is like behavioral profiling; it’s harder to hide but it’s not foolproof either.
Threats are becoming more sophisticated. Threat actors are determined to find ways to disguise malicious activity and evade traditional detection techniques.
For example, some malware variants employ techniques to alter their fingerprints. In others, network attacks can hide behind encryption, or even subtly change their method of presentation to evade detection.
Some industry watchers point to a historical dependence upon signature-based detection as a reason such efforts are effective. While there are many possible ways to resolve the issue, one of the more prevalent involves behavior analysis.
To understand the strengths and weaknesses of behavioral analysis in comparison to signatures, we must first briefly examine signature detection.
How Signature Detection Works
Signature detection refers to any technology that looks for unique characteristics of an existing threat to detect future occurrences. In the case of viruses or malware, this may be a unique pattern of code within a file or a unique file hash associated with the malware sample.
This method of detection requires that the threat has been discovered already (or at least anticipated) and its signature is available. To work effectively, the threat must look precisely the same each and every time it is observed. If it changes even slightly it will evade traditional signature detection.
To draw an analogy, it is like getting a fingerprint of a known criminal. The human fingerprint is unique, and if that fingerprint is ever seen again in a matter of criminal activity, it can alert the authorities as to the identity of the criminal.
However, for fingerprints to work as proof of identity, authorities must have caught the criminal at least once in the past, or in some way have previously obtained fingerprints. In addition, the perpetrator must continue to leave his or her fingerprints at new crime scenes. If the criminal wears a pair of gloves on the next heist, then law enforcement may not have the information to definitively determine the criminal’s identity.
Similarly, viruses can change, either manually or through a mechanism called “polymorphism.” This is where the fingerprint or hash can change as it moves between infected hosts to avoid the uniquely identifiable pattern.
Why are signatures still used if they can be so easily evaded? These are used for the same reason police still use fingerprints. Although they may not catch everything, they are still highly effective against known threats.
Don’t miss this live webinar on Threat Hunting
Threat Hunting Webinar: Finding Hidden & Undetected Network Threats
Tuesday, October 30, 2018, at 1 p.m. ET
How Behavior Analysis is Different
If signatures are like fingerprints, behavioral detection is like behavioral profiling. Rather than looking for a specifically identifiable pattern, behavioral analysis looks at suspicious activity to determine if it’s a threat.
While it would be useful to identify the criminal in the act of stealing, for example, it is rare for advanced threats to be so revealing. After all, they are trying to avoid being caught, However, the behavior is hard to hide.
If you see somebody loitering by the store window late at night, that may be an indicator of which you would take note. Further, if that person then seems to be spending a lot of time hunched over the door lock and hiding his or her face, the indications of nefarious activity begin to mount.
While any single action may not be a concern independently, but when enough of these types of secondary behaviors are identified, a behavior analysis can escalate the incident as a potential alert. This works in the same way in the context of network security.
For example, security may see a user visit a website of concerning reputation. Later, that user’s system makes a single call to another website where a large encrypted payload is downloaded. Shortly after, another short web call is made to another host without any reputation at all. Finally, you see that user communicating peer-to-peer with other local systems, in a way that is typically uncharacteristic by that user. Any single one of these events may not be worthy of triggering an alert, but in combination, they lead to a pattern that may tell a greater story.
The drawback to behavioral analysis is like the drawbacks of using behavioral profiling techniques in law enforcement: false positive alerts. Yet, false positives, in the case of cybersecurity, may not be as problematic: if your behavioral detection system is not sending at least a few false positives, it may be allowing some threats to go undetected.
In behavioral detection, it is not about eliminating false positives, it is about keeping the ratio of false positives-to-detections low. If a large enterprise detects five real threats for each false positive, most organizations would consider this a reasonable trade-off.
A Layered Defense Uses a Balance of Techniques
For all the new tools available to hackers to hide their intentions, the fact remains, that profiting from breaking into a corporate network means bad actors are going behave in ways that are unusual. This behavior is simply harder to hide and it presents another opportunity for security to mitigate risk.
As with signatures, most organizations cannot rely exclusively on behavioral analysis. Doing so would leave them prone to miss threats that would be otherwise easily identified by signatures. To that end, it’s not a matter of one security technique being better than another, rather it’s understanding the strengths and weaknesses of each and employing them in a way that best protects the enterprise.
* * *
Hidden threats and the tools for identifying them play a big role in threat hunting. Join us for a live webinar threat hunting you want to miss: Threat Hunting Webinar: Finding Hidden & Undetected Network Threats; Tuesday, October 30, 2018, at 1 p.m. ET.
Note: A version of this post was originally published as part of the CSO Online contributor network: Why it’s harder for threats to hide behavior on a corporate network.
If you enjoyed this post, you might also like:
How Bro IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis