CVE-2019-0539 Root Cause Analysis
Email is widely deployed, well understood, and used to communicate with external organizations, making it the most commonly used channel for both opportunistic and targeted attacks. Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results. To date, email protection is based on two main principles/technologies:
Unfortunately, as email protection technology improves so to do attacks as hackers create innovative methods by which to evade these protections. Whether it is the “everyday” attacks such as spam & phishing, tricking the average user, or more advanced attacks, such a hidden malware/exploits in attachments and URLs, attackers have many ways to penetrate an organization via email. And despite the millions invested in user training, it takes just one instant of not paying attention for an employee to be tricked into opening a malicious email.
Let’s have a look at the most common types of technologies, and understand their place in today’s threat landscape.
Mail relays have typically been the first in the stack of email protection. Mail relays are used to configure parameters for the email server, as well as protect the server from receiving large quantities of messages from the same sources, spam and reputation-based attacks. The mail relay’s prime purpose is the sending and receiving of emails, and as such was not built with “protection” in mind, making it a very easy layer for attackers to bypass.
Traditional antivirus software relies heavily upon signatures to identify malware. The backbone of AV solutions is based on tagged, known malware – known as a signature. When a malicious file is eventually picked up, researchers analyze the attack and once it is determined to be malware, a proper signature of the file is given and added to the AV’s database. This form of protection is highly dependent on having the most up-to-date signature database (hence having to always update your AV).
Although the signature-based approach can effectively contain everyday malware outbreaks, the attackers stay a step ahead pretty easily by using known techniques such as oligomorphic, polymorphic and metamorphic viruses which allow them to modify/disguise themselves so they will not match with the signature in the database. As such, Advanced Persistent Threats (APT’s) and other more sophisticated attacks are easily bypassing the AV’s.
The sandbox was a revolutionary technology and approach to defending against attacks. A sandbox is essentially an isolated environment providing a safe place to execute and observe malicious code. The sandbox poses as the end-user’s operating environment. This leads the attacker to assume he/she has penetrated the exterior defense and can initiate malicious behavior. Once the sandbox observes malicious behavior it tags it as such and does not allow that sample to pass through to the inbox.
Although sandboxes in their time were a revolutionary technology and genuinely had a positive effect on defending and deterring attackers, as history has shown, the attackers slowly figured out how they work and easily developed techniques to evade detection. There are several evasion techniques that can outsmart a sandbox. Some of the more common methods include the attacker simply checking whether there is a mouse connected to the ‘computer’ or a printer. Once the attacker realizes he/she is in a virtual environment (sandbox) he/she simply tells the attack to go to sleep until he/she pops up in the real end-user’s environment. Adding to this, the other negative aspect of a sandbox is the time it takes to scan. Depending on the solution, generally a sandbox can take from 7-20 minutes to scan a sample, as it is simply waiting to “see” malicious behavior. This has a very negative impact on business flow, especially considering the critical nature of email communication.
The reality is that cybersecurity follows a cat-and-mouse model, and we are at a point where the defensive side of the industry needs to take a new approach – one that has more staying power particularly given the rapid attack innovation cycles of today. One of the biggest challenges has been that solutions take hardware or software-only approaches. While hardware (e.g. Intel NX bit) offers full visibility into attacks, long integration cycles mean significant delays between the invention of new evasion techniques and the release of new hardware defensive measures. On the other hand, while software solutions (e.g. sandbox) can be rapidly updated, their visibility is limited and therefore they can be easily tricked. Read more about this back forth in our previous blog
This is the challenge we have managed to overcome with the invention of our HAP technology. It’s the first platform with visibility at the initial stage of code execution. This enables us to clearly see attempts to attack at the exploit stage, far earlier than existing technologies, and provide a definitive verdict on malicious intent. This technology does not rely on signatures, behaviors or heuristics, and is therefore extremely difficult to evade. It’s no silver bullet – but it is certainly the most robust and agile threat protection on the market today, enabling the defense to stay ahead of advanced hacking techniques.
Learn more about our cutting-edge technology
From uncovering a VBS backdoor that quotes the Fibonacci sequence to receiving “trust worthy” emails.
What is phishing exactly, how the technique works and how to prevent it.