A common theme among some of the companies we've been working with lately has been the acknowledgement that they are already hacked or infected; they just can't prove it. This theme has been echoed by many of the conferences I’ve attended over the past few years, so maybe it is starting to sink in a little! Regardless the source, these organizations have a common objective: they want to locate the malware that is dodging their current defenses.
If you think about it, this is a very daunting task. Basically the task is to narrow down a list of hundreds-of-thousands or millions of files to a subset that is questionable. This is not too different from challenges that face other industries, like law enforcement, where they attempt to identify a thief or an organized crime gang among millions of innocent people. So, using Parity, I’ll demonstrate how it is possible to speed this project on its way.
We’ll be relying on attributes of files that Parity gathers and makes available for reporting. We’ll also be using some of the reporting and filtering functionality available in the solution.
First, I’ll define three categories of attributes that we’ll use in the analysis: authenticated, reasonable, and unreliable. Authenticated attributes are either a digital certificate or a hash; attributes that are relatively irrefutable, much like a fingerprint. Reasonable attributes are ones that are discovered by the operating system or by Parity and are accurate but not by themselves conclusive: file path, Threat score, or file size. Unreliable attributes are ones that can easily be spoofed in the file metadata and should not be used for making a decision: company name, product name, or product version.
With those attributes as our framework, let’s look at some ways to narrow down our population of files.
With the Parity software, we can create baselines of our existing standard images. I know I used to build my standard images in an offline setup so I had a reasonable degree of certainty that malware didn’t exist in my standard image. We can then filter out all of the files that are in my baselines, assuming those are known-good files.
Next, I’ll toss out all of the files that are digitally signed. True, malware could be signed, but I can identify all of the signed files in a different report in Parity and that would be rather trivial to spot.
I’ll also use the reasonable attribute of Threat to toss out all of the clean files. Threat is a verification on a hash level that Bit9 has an exact copy of that file in our ParityKnowledge repository and it has checked out to be clean by all of the leading Anti-Virus scanners.
Finally, I’ll filter our all of the files larger than 1MB. Why would I do that? Well I took a look at over 10 million pieces of malware that we have collected for our knowledgebase, and statistically-speaking, 99% of malware over the past decade has been smaller than 1MB. I thought that was pretty amazing, but it actually makes sense: who wants to try and surreptitiously move a 10MB file around a network and onto hundreds of machines?
I can also filter on other reasonable attributes like Trust, file prevalence, and file path to whittle my list down further.
In my tests, using many of the filters mentioned above, I’ve been able to pare down my population of files by 90% or more. Does it draw an arrow and pinpoint the advanced threat? Not at first blush, but thieves aren’t exactly lined up outside the police station volunteering their identity either. It definitely sets me up, however, to do so in a much shorter timeframe with the remaining files!