Known vs Unknown Cyber Threats: It’s Really Just a Question of Time
The new era of cyber security threats highlights the difference between known and unknown cyber threats. Known threats are considered “old news,” easily identified through signatures by anti-virus and IDS engines, or through domain reputation blacklists. Unknown threats, on the other hand, are attacks for which no signature exists. Several technologies have come to market, and are presented as capable of detecting unknown threats via static and dynamic file analysis, either at the endpoint or in a simulated environment (also known as sandboxing).
While security practitioners must deploy strong defenses against the known threats that comprises 99% of IT threats, recent events have made us all aware that security practitioners also need to rapidly figure out how to address the increasing use of unknown threats. As the industry faces growing number of sophisticated target attacks that have resulted in a magnitude of data loss not previously seen, the question for us all should be focused on these unknown threats.
The Difference between a Known and Unknown Cyber Threat
Obviously, all known threats began as unknowns. Their signatures were created after they were identified as malicious – either automatically or manually in vendor labs. Existing dynamic analysis solutions work the same way. They may use more sophisticated parameters to detect whether an unknown payload is malicious, but the concept is unchanged: predictive algorithms are applied to characterize payload activity.
If identified as malicious, the unknown becomes known.
The difference between known and unknown is really just a question of time – a new malicious file is unknown until the first time it is processed by a specific algorithm.
Once identified as malicious, it becomes known to the instance of the product that ran this algorithm. Usually, this knowledge propagates at limited velocity, and within a few days this file gradually changes its status from unknown to known. In the past, the rate of malicious file creation was low enough compared to the propagation time, so that A/V and IDS were somewhat effective.
Today, the number of new malicious files simply outpaces the rate of propagation.
We have decided that known versus unknown is subjective; the question depends on the examiner, not on the object itself. Most examiners don’t know that a given object is malicious even after other examiners know. New public and private threat intelligence feeds claim to accelerate knowledge transfer, though it is hard to expect that they could outpace the rate of new threat creation.
Still, looking at the problem from the defender’s eyes, this is the right approach – we need to minimize exposure, deploy the right product and subscribe to the right threat intelligence feeds.
The Origin of the Unknown: The Attacker
Now that we’ve established that known or unknown is a subjective question, let’s think about the problem from the attacker’s perspective. When it comes to a targeted attacker, any payload that could be detected by any existing engine on the market should be assumed to be known. The attacker cannot rely on the propagation time, nor can he assume that the file will avoid being scanned by the best commercially-available engines.
So what’s a serious attacker to do? Simply buy the best commercially-available engines and run his malicious files through them until he finds a way to circumvent the engines.
From the attacker’s point of view, only then can this payload be truly classified as unknown. Anything else is assumed to be detectable.
Expanding the Definition of Known
To more effectively address the growing range of cyber threats, we need to recognize that the definition of known threats is far broader than current thinking.
Known threats are not just a specific signature, a black list record or a publicly or privately shared Indication of Compromise. Known threats are also those threats that could become known once examined by existing predictive algorithms. And by definition, traditional static and dynamic file analysis can only deal with known threats.
This does not mean that static and dynamic file analysis has no value. Threat prevention products should block all known attacks, whether they are known by signature, by threat intelligence or by analysis. But when we speak of detecting unknown threats, any product that applies predictive algorithms that depend solely on information also available to the attacker is at an inherent disadvantage.
The only way to win this epistemology battle is to use information available only to the defender.
We feel that the use of active breach detection products is the best way for the defender to take advantage of the known, and use this against the attacker. Read our Flip The Odds white paper to learn more.