The cybersecurity industry should study the techniques of the Japanese martial art aikido if it hopes to defeat sophisticated hackers.
Hackers have learned that the key to their success lies in evasion, dynamically changing their appearance and behavior, and hiding. While heuristic behavioral analysis - the ability to detect malicious activities without any prior knowledge or static signatures - isn’t new and, by now, is almost universally accepted, properly executing this concept is very difficult.
The top challenge next-generation cyber-security companies face is false positives since every malicious activity taken by a hacker is also exhibited by inherently benign applications. False positives are everywhere: from a Microsoft application that for some reason injects code into other processes, a tactic that is commonly used by malware, to legitimate browser plug-ins that nonetheless exhibit malware-like properties.
Once you start looking, there are few applications that don’t do something that could be considered suspicious in some context. Every behavioral detection idea seems great on paper, but few are actually capable of discovering an attack. The real world is full of edge cases that can’t be accounted for, no matter how thorough the preparations. If that’s not enough, the ratio of benign-to-malicious processes is a 1,000-to-1, so every uncertain detection is much more likely to reveal normal activity instead of malicious actions.
Here’s how aikido can be applied to cyber security.
Aikido follows the principle of using the attacker’s strength against them. From a security perspective, the more a process attempts to hide itself or circumvent possible blocks, the more suspicious it looks when it actually gets caught.
Here’s an example: Malicious rootkits often attempt to hide by removing their own process from the list of currently running processes. Casual observers and even dedicated forensics tools may be unaware that the malicious process even exists. But asking the OS for a list of running processes is not the only way to discover that a process was executed. If you know where to look, you can discover a process that was intentionally hidden and immediately incriminate it as malicious. The irony here is that if the rootkit didn’t try to hide, we wouldn’t have discovered it!
There are multiple other examples that emerge once you embrace this state of mind: the randomly generated domains of DGAs, malicious processes mimicking the names of known legitimate processes, and modifications to the Master Boot Record.
This is, in essence, the aikido approach: taking whatever tactics the adversary used to breach an organization and using them to discover the attack. You use the hackers’ strength against them. The harder they try to hide, the more suspicious they look. By decreasing their impact on one aspect of the environment, the attackers inevitably increase their impact on another. Over time, hackers run out of places to hide and evasive tactics to use, eventually leading to the defenders discovering the attack.
Uri Sternfeld is the research team leader at Cybereason.
