Yesterday, I read Sara Peters' article in Dark Reading: "DGA.Changer Gets Anti-Detection Upgrade," which discussed how DGA.Changer has added a new trick to its arsenal: A technique that fools security tools into thinking they've captured it while it's already slipped away.
Well, at Cybereason we believe that even these "fooling" techniques can be spotted using the right capabilities.
When you examine the attack in vitro, it is too easy for the attacker to fool you. The burden of making it work is on you and the attacker only has to choose which escape trick to use. This is especially highlighted when you use a one-shot decision model. If the malware fools you at that specific moment, it is safe to do as it will thereafter.
However, when you keep your eye on your whole environment, continuously, there is no way you can be fooled. Detection that is done in situ and looks at the actual behavior pattern of the attacker is bound to reveal his or her true nature. Cybereason detects both old and new variants of DGA-based malware, not by knowing them in particular, but by detecting their true nature in the system.
About the Author
Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.