Evolution of Antimalware TechnologiesSentinel Africa
Over 500,000,000 malware threats have been detected in the last decade, this can be evidenced by cyber statistics reported by multiple sources including National KE-CIRT. The malware variants detected have been mutating rapidly making it difficult for Security Analysts to secure the environment against malware attacks. The technologies implemented had to also be refined and upgraded to be able to prevent, detect and respond to malware threats.
In this article, we will be understanding the various components utilized by traditional antimalware tools. We will also look at the modern antimalware components and how they address the growing need of achieving cyber resilience. The traditional antivirus was a signature-based antivirus management system. A signature-based antivirus identified segments of codes and matched them against historical data gathered from previous identified malware. This technique was “a catchup” technique where the updates provided had to match the malware components analyzed by vendors.
Signature based detection could not match the rapid evolution of malware. In the early 2000s the malware detected were targeting Windows based systems. The malware evolved to be able to target more complex systems, and Stuxnet Virus is a perfect example of such malware. The traditional antivirus had to evolve to have additional components which identified the behavioral aspects of malware artifacts detected.
The technology utilized in these antiviruses was Heuristic detection and analytics. Heuristic analysis is a proactive technique which combines signature-based detection and behavioral analysis to detect new malware variants. However, this technique had a lot of false positives detected as legitimate programs which had a similar behavior with rootkits, trojans and logic bombs could be detected and quarantined/disinfected. A lot of rules(policies) had to be defined to ensure continuity of business operations. This led to the emergence of Sandbox Virtualization technology.
Sandboxing is an advanced dynamic malware technique which involves replicating a secure live environment to monitor the behavior of malware variants upon execution. The sandbox made it easier for the Security Analysts to have visualization of the malware behavior, attack techniques and its end goal. Attackers developed techniques to evade and detect sandbox environments to ensure persistence of the malware attack. The technique developed was the armoring and obfuscation techniques which hinder analysis of the malware and evades detection in sandbox environment.
An antivirus combining signature based, rules(policies) and a sandbox environment was not as effective against the new generation of malware variants. “The traditional antivirus had to die, and a rebirth of the antimalware welcomed”. The antimalware combines signature-based detection and advanced prevention, detection and response techniques against malware attacks. A highlight of what encompasses a modern antimalware is: multiple layers of security, behavioral analytics, risk analytics, intrusion detection systems and endpoint detection and response system.
All the components in the modern antimalware work hand in hand to compliment each other and build a layered defense model. During the COVID19 Pandemic we have seen an increased demand of Antimalware to protect users who were working from home. Proper antimalware management complimented remote working and offered visibility of all managed endpoints (EDR) and eXtended Detection and Response (X.D.R) systems rose to be the next generation of Antimalware technologies which strengthen the Security Operations Centre of an organization.
Although the threat landscape keeps increasing and new attack vectors discovered, it is important for organization to consider implementing controls which provide visibility through one single dashboard. Security exhaustion is a factor that needs to be addressed through implementing solutions that enhance the Security Analyst work through autonomous detection and response.