hamburger

BitDam Blog

While the Cat’s Away, the Cyber Mice Will Play
Liron Barak
Liron Barak
5 minutes & 54 seconds read · May 22, 2019

While the Cat’s Away, the Cyber Mice Will Play

The mice don’t ever give up on the cat-and-mouse cybersecurity game and there is no reason why cybersecurity personnel should continue to play it. The mice—in this case, cyber attackers—have most of the advantages. They are relentless. They have numbers. They are mostly invisible. They can attack when and as often as they want. Stealthily, the mice can alter their attack ever so slightly to test and then defeat the latest security mechanisms of the cat. If one try fails, the mice can make another attempt at their leisure. Cats, on the other hand, can hardly put up a permanent defense against the numerous mice-assailants. The best they can do is catch one here and chase one there. But the mice are always back for more.

The cat-and-mouse game reflects the reality of hackers and cybersecurity. The company network is an attractive target that invites the next attack. Hacker mice can show up at their discretion with any new trick while the best the cat can do is to ward off the attack. Even capturing a mouse from time to time hardly puts an end to the game—there are always more mice and more attacks.

We want the cats to win!

A long history of misery

Mice have been invading our homes for a long, long time just as hackers have been invading our endpoints and networks. Hackers have been sending CISOs and security analysts into a panic ever since the first successful cyberattack decades ago when a researcher realized that it was possible for a computer program to move across a network, leaving a small trail as it went. The very first worm, called “Creeper“, transited terminals on the ARPANET (the pre-cursor of the Internet), leaving behind the clever message: “I’M THE CREEPER: CATCH ME IF YOU CAN.”

Almost from the very beginning of cyber history, email has been the main medium for delivery of malicious payloads. In fact, the very person who invented email liked this idea of malware and made the Creeper program self-replicating—the first computer worm. He subsequently created another program, Reaper, the first antivirus software that would chase Creeper and delete it.

Thus began the first cat-and-mouse cybersecurity contest and we haven’t taken a break until now.

Relentless Search for the Next Target

The cybersecurity cat-and-mouse game consists of hacker mice from all over the world continuously inventing new methods and sharing knowledge vs. defender cats devising effective resistance only after significant damage has occurred somewhere in somebody’s cyberspace. Then, the hacker mice tweak their latest method and cause the defender cats to scramble in another futile chase. And on and on. It never ends.

Here is a brief history of cyber cat-and-mouse wars:

  • Static (or Payload-based) Signatures. The hacker attacks with a malicious file. Upon encountering and deciphering this malicious file, the security solution creates a static signature—a binary sequence unique to the malicious file—to identify this file. The security team rapidly shares the signature with their colleagues to enable them to identify this hack attack. Another hacker tries again with a different malicious file with its unique signature. The security team counters by adding the new signature to their security database. As the number of such malicious files increases, so does the signature database, now known as malware blacklists. Hackers keep altering their malware files to change their signatures and escape detection, and the defenders have to find the altered files, add the new signatures to the blacklist and quickly distribute them. This happens thousands of times each and every day.
  • Heuristic Signatures. To try to be more proactive, the defenders attempt to implement heuristic signatures—essentially applying signatures not on malware files but on malware behavior. For example, upon initialization, viruses might run a check for the presence of any running anti-virus (AV) processes. An advanced AV will notice this check and take action to defeat the virus. But it won’t take long for the attackers to try a new trick—they change the virus’s behavior by altering its AV check from looking for the presence of running AV processes to looking for the presence of AV files. The defenders have to respond.
  • Sandboxing. The defenders then came up with the brilliant idea of “sandboxes” where they could open files and start applications in a controlled environment separate from the actual company network—kind of like having a robot take a suspicious object to a remote location and checking it out over there. If it blows up, nobody gets hurt. However, soon enough, hackers discovered that sandboxes have characteristics that distinguish them from the real network, so they devised mechanisms whereby the malware would know when it is in a sandbox and then they developed sandbox-evasion techniques.

    For example, sandboxes are implemented with a limited amount of time to run. Knowing this, attackers implement a sleep function, delaying malware activity by instructing the CPU not to react for X minutes. The defenders counter by detecting the sleep function and fast-forwarding the CPU clock, forcing the malware to run in the sandbox after all.

    The attackers quickly figure out the trick and they switch from using sleep functions to implementing time-consuming loops, once again escaping exile to the sandbox. The defenders develop a response for that as well—breaking loops that run too long.

    The attackers respond by coding some time-wasting mathematical calculations or by implementing some logic that runs the malicious code only if the lengthy loop finishes normally.

    And so the game continues.

Spin Control

Hacker mice are always looking for nooks and crannies—some vulnerability—and devising methods to defeat current security solutions. Defending cats are vigilant—always on the lookout to thwart the latest attack methods.

It’s hard to gain the upper hand in the cat-and-mouse game, but BitDam has an effective weapon: a whitelist approach that puts an end to this ceaseless competition.

BitDam researches the proper behavior of applications, file types and links at the CPU level. Our signatures are not the ever-growing database of malware (already in the billions and growing by leaps and bounds every day), but the opposite: the proper behavior of good stuff. Whenever the behavior of any application, file type or link diverges from that proper behavior, we mark it as malicious and we don’t let it get onto your computer.

Most attacks arrive via files and malicious website links. You click on any of those and you can quickly infect your computer and even your company network. When someone shares a link or a file with you, BitDam invisibly steps in. Unlike traditional mousy security solutions, we don’t wait until the actual malware is delivered in order to detect it. BitDam automatically takes the potentially malicious file or link out into the desert and compares its CPU flows while opening, to our whitelist of how it should behave. If there is a match, we deliver it as if nothing happened. But when there isn’t a match, we “blow it up in the desert” and don’t allow it to reach your computer.

Let the security cats win!