Dr. Giovanni Vigna, CTO of Lastline, offered the following useful insight into anomaly detection: “Not all anomalies are malicious, and not all malicious behavior is anomalous.” If you are managing SecOps, how do you deal with this puzzle? As Vigna put it, do you assign a $250,000 a year senior security analyst to investigate what turns out to be a benign anomaly? That would be a huge waste of resources, of course, if you could even know that the anomaly in question was not a threat.
Lastline is in the business of helping organizations face this type of challenge. At RSA, they announced their new Lastline Behavioral Intelligence Program, in which threat researchers investigate cyberattacks and publish unique, actionable information about advanced malware and threats in the form of targeted alerts and detailed reports.
“Too many security tools ignore or misidentify the malicious behaviors that are essential to understanding the scope and intent of an attack,” said Vigna. “Instead, we focus on detailing the behaviors that advanced attacks exhibit. With this information, your security team can secure your network, email and so forth.”
Lastline CEO and co-founder, Chris Kruegel added, “The Lastline Behavioral Intelligence Program is built on core strengths of Lastline – our understanding of malicious behaviors and our ability to connect them to intrusions and breaches. With this program, we’re overcoming serious shortcomings in existing threat intelligence systems that deliver one-time IoCs that are essentially useless for blocking future attacks, resulting in broken incident response processes and ineffective intrusion defenses.”
The company also published the results of its first comprehensive malware behavior report, the Q4 2017 Malscape® Monitor Report. This report is the first in an on-going series that will deliver previously unavailable trends and actionable insights into malicious behaviors and how threats unfold.
The tens of millions of samples that Lastline analyzed for this report were for the most part scanned and released by other security solutions, meaning Lastline is literally “The Last Line of Defense®.” Reflecting the objects analyzed in the last quarter of 2017, the report found:
- Enterprises, and malware authors, use a wide range of file types, illustrating the need to have protection parity across all attack vectors
- Of the objects received via email or online and cleared by other security tools, one in 500 were found to be malicious, resulting in malware being introduced daily into enterprise networks
- Sixty-five percent of malware files had never been submitted to VirusTotal and were seen only once by Lastline, leaving signature-based detection technologies ineffective
- One in 12 malware samples exhibit particular advanced persistent threat capabilities that make them hard to detect and particularly dangerous
Ninety percent of files that Lastline determined to be malicious were given generic labels by AV tools, such as trojan.generic, providing limited guidance for successful remediation and leaving enterprises exposed to subsequent attacks resulting from compromised credentials
The file types that malware authors used to launch attacks varied widely across regions, as did the payloads and targets
The company also is announcing the Lastline Behavioral Intelligence Program, an innovative behavior-based approach to threat intelligence that will improve security effectiveness, speed to remediation, and completeness of remediation. Using data from Lastline’s global deployment of millions of sensors, the program will make unique actionable information about cybersecurity threats publicly available to inform security teams’ ability to detect and block attacks and improve their efforts to secure email, web access, corporate networks, and cloud storage and apps.
The program initially will consist of online access to threat analysis showing how malicious files are delivered, including new trends as they emerge, which will help security teams bolster defenses. In addition, Lastline will release high-level views of malware in the wild, such as the Malscape Monitor Report, details of threats against specific market segments or geographies, and details of a particular attack’s capabilities plus remediation recommendations.