There was a period of time not long ago in which signature-based threat detection was cutting-edge. Antivirus, intrusion detection systems (IDS), data leakage prevention (DLP), content filtering and even anomaly detection systems (ADS) all continue to rely heavily upon static signatures. In recent years vendors have shied away from discussing their dependence on such signatures — instead extolling supplemental "non-signature-based" detection technologies.
In most cases these "non-signature-based" detection technologies appear to be largely a marketing ploy rather than some kind of new innovative solution; consider it a redefinition of what the dictionary would ordinarily define as a "signature" to overcome the inhibitions or bias of potential product purchasers. For example, if you define a signature as a single basic regular expression, then a threshold-based alerting policy could be considered a "non-signature" alternative.
I wanted to provide a walkthrough of the logic of a (real) non-signature-based detection technology. Perhaps "technology" isn't quite the right word; rather let's discuss it in terms of a confidence-based detection system. For example, for the purpose of edification, let's consider a device reaching out to remote server — a destination that hasn't been touched by the device ever before.
In the vast majority of cases a device will need to resolve a domain name in order to determine the remote IP address of the sever it is planning on connecting to. That DNS traffic contains a wealth of information if you can correlate with other external data sources and you know how to act upon it.
Signature-based detection systems could of course look up the IP address or domain name against their blacklist. If either of those data elements appear upon a list, then the traffic could be classified as malicious and blocked — if not, everything is probably "fine". In the case of detection systems that utilize dynamic reputation, a scalar value representing the "suspiciousness" of the domain/IP and perhaps the class of threat would be returned (even if the domain and/or IP has never been seen before) and a threshold-based action would occur within the protection technology.
Supplemental to those signature-based detection approaches you could instead start dissecting the observation — compiling levels of suspiciousness and circumstantial evidence — and arriving at a conclusion of maliciousness.
Consider the following aspects of determining the nature of the interaction based purely from observing the DNS traffic related to the resolution of a single host lookup:
Knowing that the IP address belongs to a country with which the Fortune 1000 company doesn't do any/much business with may be a little suspicious and worthy of more thorough study.
"Is the destination address a residential IP address?"
"Is the destination address a static or dynamic IP?"
Knowing that a corporate device it trying to connect to a remote server located within a residential network should be suspicious to most network administrators — hinting at a number of threats or unwanted traffic.
"When was the domain name registered?"
"Are there any features of the domain registrant details that cause concern?"
Knowing that the domain name was registered 2 hours ago is significant. So too is knowing that details of the registrant match a large number of previously detected and categorized malicious domains.
"How many other domain names have pointed to the same IP address over the last 1/7/30 days?"
"Are any of the domain names pointing at that IP address known to be related to a particular threat?"
By associating an unknown or previously unclassified domain with domains with which historical information and threat attribution exists, enables the corporate entity to evaluate a "guilt by association" value.
"Is the domain reliant upon free Dynamic DNS provisioning?"
"What is the reputation of the authoritative DNS server?"
"Which country is hosting the authoritative DNS server?"
Dynamic DNS (DDNS) services are heavily abused by cybercriminals today — and are rarely used by large commercial entities. Understanding the location and past history of the authoritative DNS server (e.g. what proportion of domains hosted at the DNS server have previously been identified as malicious?) hints to the legitimacy of the destination IP address.
"How frequently is this domain name looked up?"
"Which countries or organizations have also looked up this domain name?"
"Who was the first to look up this domain name and get that response?"
Knowing that a particular domain name has only been looked up by three US-based Fortune 500 companies in the last year is suspicious. Knowing that the same domain name points to an IP address in Iran and has never been looked up by anyone else in the world would be highly suspicious and indicate a level of targeted attack.
"Is the IP address a known sinkhole?"
"Is the IP address associated with a commercial content delivery network?"
"Is the IP address associated to a domain registrar's holding page?"
Knowing that the IP address is pointing to a sinkhole is a pretty obvious indicator that someone already thinks this particular domain name is malicious and associated with a threat. Meanwhile, knowing that the domain is pointing to a generic domain registration holding page could indicate that the domain has been taken down for being malicious, or is waiting to be staged by the criminals, etc.
There are more features that can be extracted from the successful resolution of a domain name than those listed above — but I'm sure you appreciate by now that a large amount of information can be obtained and associated with even a previously unknown domain name — and a certain degree of confidence can be obtained as to the suspiciousness (or maliciousness) of it.
For example, consider the following scenario:
Obviously it shouldn't take a genius to figure out that not much good is going to come from the device connecting to this particular remote host. All the evidence is circumstantial, but pulled together it becomes actionable intelligence. Most importantly though, all of this can be carried out using just a single DNS response (before any malware is downloaded, before any vulnerabilities are exploited, and before any user is socially engineered) — meaning that protection systems that can handle this level of non-signature-based threat determination engine can take preventative actions before the device has even begun to connect to the destination server.
When I think of non-signature-based detection systems, this is one approach that springs to mind. Such deterministic systems exist today — and they're working very nicely thank you.
By Gunter Ollmann, Chief Security Officer at Vectra
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Minds + Machines
Afilias - Mobile & Web Services