Using Dogs for Malware & Ransomware
For the longest time, cyber security was based upon the barking dog approach. Sound off alerts, hope someone pays attention. Well, that didn’t work well, but there is a dog analogy that makes a lot of sense with malware.
I was thinking about dogs and the security roles they play and then remembering the stories about Mexico ransom kidnappings when I was younger. There are lessons to be applied in cyber security.
When we think of ransom kidnappings as it relates to crimes against humans, it’s a different kind of problem than the brazen in your face kind of crime. The goal is to observe, wait for the opportune time, strike quickly and without much notice, take and hide the valuable person and then quickly make your demands for a hopeful safe return.
Same techniques apply to cyber ransomware. Traditional forms of prevention do and need to have a place, but detection isn’t that relevant. Here’s where things get interesting though…
The kidnapping or hiding aspect of ransoms are best done without notice. In ransomware, the goal is to quietly deliver the payload, activate the malware payload with detection and then encrypt all the mounted data you can find and then announce yourself to make your demands.
Ransomware needs to be stealthy because the goal is to not alert anyone or anything. So, it’s not surprising to learn that 70% to 90% of ransomware uses a stealth component. Basically it virtually looks around in its electronic environment to look for spotters or detectors. For instance, is there a newer and more effective endpoint software present on the host system? Is the software running in a virtual sandbox? The list goes on, it’s looking for numerous indicators whether it is prevention or detection that might get the security sensors barking.
It turns out a very effective technique then is to create a fake positive that keeps the malware at bay and hiding in the digital shadows never to see the light of day. It turns out that growling dogs are effective just because they might bark to alert responders and the bad person then cowers or slinks off. This is an amazing hybrid tactic then of prevent and alert. The system then alerts you as to what filename was involved and where it is lurking. You can then just delete it and virtually throw the malicious package away before it gets activated.
No costly remediation and painful forensics and no rush to respond. Keep your AV systems in place but add the additional prevention of this new technique and save yourself a lot of headaches at the fraction of the price of other solutions.