Many aspects of cyber-attacks resemble time-tested techniques found in nature. Self-propagating malware is reminiscent of biological viruses spreading from one organism to another, or malicious software designed to resemble legitimate files might parallel leopards that blend into trees to hide from prey. One methodology in particular can help with both attacks and defenses: mimicry.
The term mimicry originated in the 1680’s, referring to one organism looking like – or mimicking – the behavior and traits of another. In biology, mimicry is a survival technique that comes in two flavors. Defensive Mimicry conceals an organism’s presence from predators and aims to induce a specific behavior from the attacker to benefit the mimetic organism. Aggressive Mimicry is used by a predator to go unnoticed by their prey. The predator either attempts to look like another animal to lure their prey or to obfuscate their presence entirely.
A great modern-day geeky example of mimicry is the Mystique character from the X-Men movies. Mystique is a shape-shifter, with the mutant ability to take on the look and sound of another person. While Mystique isn’t working along the simple “prey or predator” philosophy, she does use mimicry powers to get the advantage of surprise, concealment, or access.
So, what’s this got to do with malware?
A lot, actually. The concept of using deception to either defend or attack has evolved from being solely found in nature (or movies) and has found its way into the world of modern attacks and defenses.
Mimicry: The Evasive Evolution of Malware
Malware that uses forms of evasion can be found in countless information security incidents today, and often uses mimicry techniques to conceal its presence from antivirus tools – the “predator” as it were. With a bit of trickery, malware can hide from both traditional and “next-gen” anti-malware solutions. In this context, malware can incorporate the concept of mimicry in a number of ways, including:
- Malware mimics benign code – malware authors often craft their malicious programs to resemble legitimate software to fool AV tools. Only once this malware gets past AV, does it unpack itself and perform malicious actions.
- Malware mimics known processes – malware can implement memory injection, whereby malicious code is injected into the area of memory used by a known-good process. This makes the malicious code appear like a legitimate application, avoiding AV detection
Your Security Needs an Evolution of its Own
The success of mimicry in nature is undeniable – it helps species of organisms and animals continue to survive. And in the world of “malware vs. security tools,” the same outcome is being seen daily; organizations that rely solely on detection-based endpoint protection measures are finding themselves falling victim to attacks that leverage evasive techniques.
Your security strategy should also evolve to include a layer of defense that employs mimicry and other forms of deception on the endpoint. This means addressing evasive malware by not detecting it (which is difficult at best, considering the malware is specifically coded to avoid detection), but by countering its evasion tactics, playing it at its own game in order to prevent it from bypassing other security measures. Using mimicry of its’ own, such solutions can take advantage of the malware’s desire to be evasive and present it with artifacts that represent security solutions, VMs, sandboxes, and forensics toolkits – all in an effort to make the environment look “poisonous” to the evasive malware, keeping it from ever executing. The mimicry analogy in nature here is like an animal appearing to be something poisonous to keep an attacker at bay.
Using Mimicry to Your Advantage
Your traditional detection-based solutions will address the non-evasive malware. But when malware employs mimicry, the only way to stop it is with mimicry of your own. By layering a solution specifically designed to stop evasive malware on top of your detection-based solutions, you provide a more comprehensive protective barrier that ensures all malware is stopped before it impacts your organization.
To find out more about evasive malware and how to evolve your security strategy, read the whitepaper Evasive Malware: How and Why Your Anti-Malware Strategy Needs to Evolve Beyond Antivirus.