Quarterly Threat Insights Report of HP (March 2021) reported that approx. 29% of cyber-threats they observed were 'Unknown' cyber-threats, means, were not known before.
This post is intended to shift your attention to Unknown cyberthreats...
Even before I attempt that, I guess, it will be very helpful to glance over a statement made by former US Secretary of Defense Donald Rumsfeld in 2002. He observed that--
“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know…”
Although the context he made this quote was Foreign Policy, but this sort of analogy finds a great fit in Cybersecurity too.
If you break down this statement in pieces, then you can derive the following notions:
-
Known knowns = Threats that already exist there and you are aware of those
-
Known unknowns = Threats that already exist somewhere out there, but you are not aware of those yet
-
Unknown unknowns = Threats that may exist somewhere out there, but you (and perhaps others) have absolutely no clue or inkling of any of those yet.
Most traditional security products are built to act based on known threats (point 1 & 2). The moment they see something that is 'known' to be malicious, they block it.
-
-
What Are UNKNOWN Cyber-Threats?
These are cyber-threats, that were not known before (to anybody).
For example, malware that has been in the wild for a while is a known threat. Antivirus and antimalware vendors update their tools to block these attacks. But what about the unknowns, like new zero-day exploits suddenly sprung on unsuspecting targets?
To get past security products that successfully block 'known' threats, cyber-attackers are forced to create something that has never been seen before, increasing the cost to execute an attack by them.
-
How Do They Create Unknown Threats?
It’s now impossible to create signatures for that astronomical volume of files which are found to be infected each day. As explained above, most signature-based antivirus systems rely on traditional detection means to stop threats. Attackers have become far more sophisticated.
Threat-actors follow Darwin's Principle of 'Survival Of The Fittest'...
First, they create one initial strain of malware and then they generate forks of the initial one with specific variations. They pass (test) these through all major signature-based antivirus programs in their secret offline lab. A lot of such new viruses/malware sound the alarm. But SOME go undetected. These become their first win.
Then, attackers take these survivors and fork them with new variations. Many such iterations lead to viruses generated from a basic strain, that will survive too many antivirus programs. This Polymorphic hacking behavior is one way to defeat traditional antivirus programs. This is like Darwin’s principle of survival applied to generate strong malware!
Isn't it highly interesting?
This polymorphic behavior of new strains is still not that dangerous...It has succeeded in defeating the anti-virus programs.
Now, they are left with 2-choices:
1. They could create unknown threats that look like legitimate programs and are difficult to detect, usually by weaponizing the new strain.
2. Or, in a more sophisticated setting, they might not use weapons at all!
Not to use weapons at all???
Why to bring weapons from outside (to rob the bank) like robbers, hackers simply need to get inside, and they can easily do so with new forks of this strain without detected at all.
Thus, they would first secure their access (through a vulnerable remote VPN entry with a bad password, phishing, exploits, etc). Then, they avoid the use of malware to remain fully stealth. All the while, they try to upgrade their access rights with “privileges escalation”. Then, they have the official/legal weapons inside the infrastructure: the admin rights. Don't you think that 'Admin Rights' itself is the ultimate weapon!
Often targets of these attacks don’t even know they’re compromised until their information is dumped on the Internet.
-
3-Scenarios You Can Think About
1. Recycled Threats
Do you think that security products don't face the problem of CPU and RAM? They do. Taken together both of these, create some limitations of computing or processing power. As a result, security vendors try their best to keep their products updated for the most modern KNOWN threats and these are in millions already. BUT what about some old threat that has not been used by hackers for long time?
In fact, hackers pick some old time threat and RECYCLE it because it would have very high probability of sneaking past through of these security products. Recycled threats are considered to be the most cost-effective attack method for hackers, which is why attackers often recycle existing threats using previously proven techniques.
What is the solution?
To protect against these “unknown” recycled threats, you have only one solution. That is, to have access to Threat Intel memory keeper in the cloud. It means that your security product, must have access to a cloud-based 'larger knowledge base' of threat-intel.
-
2. Modified Existing Code
This method is somewhat more expensive than recycling threats. Attackers take an existing threat and make slight modifications to the code, either manually or automatically, as the threat actively make transitions in your network. This results in polymorphic malware or a polymorphic URL.
When it is inside your network, like a virus, the malware continuously and automatically morphs and changes rapidly. If a security product identifies the original threat as 'known' and creates a protection for it based on only one variation, then any slight change to the code will turn that threat into an 'unknown-threat'.
The result is that some security products that match threats using hashing technology, will not be able to detect this modified malware.
What is the solution?
To better protect against these threats, you should use security products that use polymorphic signatures, instead of hashing technology. Polymorphic signatures are created based on -- the content and patterns of traffic and files, rather than on a hash. They can identify and protect against multiple variations of a known threat. They focus on the BEHAVIOR, rather than the appearance of fixed encoding. It allows them to detect the patterns in modified malware.
-
3. Brand NEW Threats
All aspects of the cyber-attack lifecycle have to be NEW for an attack to truly be considered a previously unknown threat. Only determined hackers who have a strong intent and great resources would go to that length to create a new UNKNOWN threat.
What is the solution here?
You need to maintain a hawk's eye vigil on your network and closely focus on the behaviour of your business and your data-flows. You need to implement the cybersecurity 'best practices.' For example, segmentation and micro-segmentation with strong Identity & Access Management will help you in preventing the spread of a new malware throughout your network. You should always block downloads from unknown and unclassified websites. This is the first part...
The second part is that you always utilize the 'Collective Intelligence.' No single organisation ever experience all new threats. Organisation A would be attacked with Malware-101, Organisation B would be facing the Malware-301, Similarly Organisation C would be facing the Malware-701....That's why, it is very important to be able to benefit from collective threat intelligence. All 'Unknown, never-seen-before threats can quickly become KNOWN with global information sharing.
Remember, to participate non-stop in such threat-intel communities and forums etc. This habit will give your an edge over the attackers in long-run. At the same time, you should be sending unknown files and URLs for analysis.
The effectiveness of sandbox analysis depends on the time it takes to provide an accurate verdict on an unknown threat and to create and implement protections across the organization, as well as how your sandbox environment handles evasive threats.
Your security posture needs to be changed fast enough to block the threat before it has the ability to progress – in other words, as soon as possible. Automation can help you here greatly!
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM