Why Is Cybersecurity Today Moving In The Wrong Direction?

By Eddy Bobritsky

The leading solution for threat mitigation in the cybersecurity landscape is by far endpoint detect and response (EDR) and, more recently, extended EDR (XDR).

The goal of these systems is to constantly monitor commercial networks and endpoints in order to detect threats and malicious behavior as soon as possible in order to stop it. In addition, these solutions collect immense amounts of data in order to later be able to analyze and understand exactly what damage was done in the attack—to be able to roll back the systems and reverse the damage as much as possible.

However, the problems with this approach are twofold:

• At the core, in order to be able to detect and respond to a threat, your system needs to be infected, and the malicious code needs to already have started to “do its thing.” This means that by the time an EDR has detected and stopped the threat, the attacker has already started to damage the system.

• Ransomware is becoming faster and more sophisticated. Threat actors are actively hardcoding their malware with evasion techniques specifically designed to bypass today’s security measures, which makes detecting zero-day (unknown) threats all that more difficult. Not only this, but according to a recent report by Splunk, ransomware variants are becoming frighteningly fast, with some encrypting files at a speed of up to 25,000 files per minute.

The fact of the matter is despite the rise in popularity of endpoint security solutions based on detection, not only have we not seen a decrease in malware attacks as one would expect, but there has been a large uptick. Not only that, but per IBM’s “Cost of a Data Breach” report from 2021, it now takes companies an average of 287 days to contain a breach once one happens.

Combining the above points reveals that we have an inherent issue with the way the industry is approaching cybersecurity today. In order to keep up with the evolution of malware and ransomware, companies need to explore a change of mindset to explore how the addition of prevention should be an essential part of any security stack, along with detection.

Why EDRs And XDRs Aren’t Enough

While detection-based security solutions are necessary in a security stack, they work similarly to your immune system. This means that once they detect something that appears to be potentially malicious, they formulate a “response” in order to mitigate the damage. While this usually works, this approach requires the systems to flag potentially malicious behavior, and then technical experts need to decide and prioritize responses according to the level of the threat. Not only can the amount of these flags easily build up, but your system will always need to first become infected before the response can be formulated, which means some damage almost always occurs. This also means that a lot of effort needs to be invested in damage mitigation and rolling back of systems in order to undo the damage

Ransomware Prevention Is Possible By Making It Turn On Itself

One of the main reasons that the industry focus today is on detection and response is the misconception that prevention is either too hard or downright impossible. While this may have been true in the past, the industry has evolved and there are a number of solutions today that can help prevent ransomware before the attack even starts.

Ransomware prevention, or dedicated anti-ransomware solutions, can easily reduce false flags by stopping the attack at the initial stages. Instead of waiting to detect the ransomware, these solutions leverage key traits of ransomware that allow it to bypass security solutions, preventing it from ever executing.

Let’s take the sandbox evasion technique for example. Many traditional security solutions use sandboxes to screen incoming files. A sandbox is a method in which the file is first sent for testing to a controlled virtual environment, which is isolated from the network before allowing it into the network. This allows security measures to scan and try to detect malicious files before they even reach the network so they don’t do any damage.

Threat actors may insert code into their malware to bypass a sandbox by querying the operating system in order to determine whether or not the current environment is a sandbox. Things like hard disk size, system resolution, number of CPUs, RAM size and peripherals are just a few parameters that can help determine if the environment is a sandbox. If the malware comes to the conclusion that it is in a sandbox, it will simply stay dormant and wait until it exits the sandbox to continue the attack.

So, what would happen if we spun this against the malware and always made it think it was in a sandbox by giving it the answers it doesn’t want to hear (small RAM, low resolution, low number of CPUs)? What would happen? Well, the malware would simply be put on a permanent sleep mode!

Not only that, but since we now know that a specific file asked all these questions, we now know that this file is malicious (why would a legitimate file want to know if it’s in a sandbox?) and can raise a red flag.

There are so many evasive techniques employed today by malware in order to remain undetected by endpoint security, all of which can be exploited to shut it down, that it’s a surprise that this approach isn’t as widespread as the less effective detection and response approaches.

Not only that, but since this approach doesn’t negate or contradict detection, it can easily complement and upgrade any security stack without the need to make any sacrifices.