Use behavioral analysis, not blacklisting, to protect against attacks

October 13, 2016 | 2 minute read

Let’s say your neighbor’s house was robbed and, during the police investigation, it was discovered that the burglars broke a window to get in. After learning this, would you board up the windows in your house in an attempt to prevent a break-in?

The answer (most likely) is no. This decision would make your home pretty much uninhabitable. And even if you decided that natural light wasn’t for you and covered the windows, robbers would still find a way in. They could pick the lock on the door or, better yet, break down the door.

But, for the sake of this blog post, let’s say you block your home’s windows and doors. You still wouldn’t be safe. Getting into your home would be incredibly challenging for an attacker, but not impossible. The more ambitious burglars with access to great resources could cut a hole in an exterior wall, for instance.

Blacklisting functions won’t prevent attacks

Adversaries can always find a way to get around whatever security measures are in place. This applies to a burglar looking to break into a home as well as a hacker attempting to steal a company’s intellectual property. We’ve always said that even organizations with the strongest defenses are no match for a motivated attacker.

However, judging from a meeting I recently had with a major bank, some businesses still think strong defense is the only and best protection from hackers. 

During our discussion, I mentioned that attackers will often use legitimate tools to conceal malicious activity. For example, hackers often place a piece of source code in the target environment and execute it using the computer’s code compiler, making their activity look authentic. One of the engineers in the meeting immediately suggested that the company blacklist the use of software that complies code. Several of his colleagues agreed with his idea.

However, I had a counterpoint to their argument. I explained how that tactic would prove useless since attackers could use PowerShell to create the equivalent of a compiler. So blacklisting the compiler wouldn’t keep the company safe.

Undeterred, another engineer proposed that the company ban the use of PowerShell. Again, his co-workers wholeheartedly supported this idea. I pointed out that attackers could use VBScript to create a PowerShell interpreter using APIs.

Attackers will use any vector to infiltrate a company

At this point, I decided that this group of highly technical people was spending too much time trying to come up with every potential attack scenario and needed to hear my message in simple terms.

“If you close the door, the attackers come through the window. It doesn’t matter what you blacklist,” I said.

I went on to explain that not only can attackers circumvent blacklists, but there a multitude of ways for them to achieve their goals. Security analysts can’t possibly predict what vector an adversary will use. I closed our chat by emphasizing that behavioral analysis can help companies detect malicious activity as quickly as possible and doesn’t require blacklisting tools that employees use for their jobs.

They seemed to get my point, but I could still tell they weren’t ready to give up the belief that they could make their company impenetrable.

Complex IT environments give attackers many attack routes

The complexity of enterprise IT environments, which have multiple tool sets and workers using a variety of devices and browsers, ensures that blacklisting certain tools and functions will never offer complete protection. Attackers will always find a way to infiltrate your network. Don’t lull yourself into a false sense of security by covering your doors and windows. Instead, use behavioral analysis to uncover malicious activity.

Israel Barak
About the Author

Israel Barak

Israel Barak, Chief Information Security Officer at Cybereason, is a cyber defense and warfare expert with a background developing cyber warfare infrastructure and proprietary technologies, including that of proprietary cryptographic solutions, research and analysis of security vulnerabilities. Israel has spent years training new personnel, providing in-depth expertise related to cyber warfare and security, threat actor’s tactics and procedures. As Cybereason’s CISO, Israel is at the forefront of the company’s security innovation, research and analysis of advanced threats.

All Posts by Israel Barak