The inherent problems of the detection paradigm

An ongoing debate in the modern cybersecurity world is whether to detect or prevent cyberattacks. Although detection technologies are undoubtedly important tools in the defender arsenal, recent years show they have only limited effects when encountering certain types of cyberattacks.

Network based intrusion detection systems (NIDS) and host based intrusion detection systems (HIDS) have been defeated time and again. Typically, attackers successfully penetrate through the NIDS systems and gain a persistent foothold within an organization’s workstations. They gather and leak sensitive data without raising any HIDS alarms, sometimes for months and years.

That was the case with the Sykipot attacks, which targeted telecommunications companies, governmental agencies and other industrial sectors in the U.S. and UK. Sykipot began its operation around 2006, and for a number of years collected sensitive and confidential information and exfiltrated it out of the targeted organizations. Armed with several exploits, including Adobe Acrobat, Microsoft Office and Internet Explorer 0-day exploits, Sykipot successfully evaded the existing NIDS and HIDS systems and was only discovered in 2011.

Problems with the detection paradigm

Clearly, NIDS and HIDS are failing to combat advanced type of attacks, regardless of the amount of effort and resources put in. The detection paradigm as a whole suffers from several inherent weaknesses, which adversaries frequently exploit:

Attacker already in: Many detection systems, especially HIDS, assume that the attacker already has an initial foothold in the system. In the attacker-defender game, it’s just a question of time and effort for the attacker to evade detection. For example, a malware may employ rootkit techniques to reside in the deepest corners of the OS, hidden from the HIDS file scanning and network monitoring mechanisms. It can also proactively manipulate system event logs or use direct kernel object manipulation to bypass access-control and integrity checks techniques.

“White” listing: Whitelisting is another Achilles’s heel of detection systems. Naturally, many HIDS manage a list of “good” processes which are permitted to perform their activities freely. For example, HIDS will probably not raise an alert if an AV process traverses all files in the hard-drive, as it’s a legitimate scanning activity. Signed device-drivers and certified applications also gain a higher level of trust by HIDS systems. But what happens if a malware injects its code into the AV process, or when a rootkit author signs its driver with a well-known vendor certificate? Such impersonation techniques are found to be very effective in evading the most advanced detection systems.

The false-negative trap: Many of the techniques employed by NIDS and HIDS are statistically-based rather than rule-based. Consequentially, HIDS vendors try to avoid false alarms as much as possible using thresholds. These thresholds are where the attackers can slip in and remain under the radar. For example, NIDS and HIDS can identify data exfiltration when they find a deviation from the typical volume of network traffic. However, data can be leaked through HTTP traffic at very low rate, without raising any alarms.

The undetectable: Some ‘malicious’ activities are simply impossible to detect. Credentials-stealer malware operates the same way as legitimate password managers that save usernames and passwords in a browser. Keyloggers are another type of malware which is very difficult to detect. Windows OS allows any application to monitor and hook every key pressing event in the system, for example software that monitors children or employees. However, the gray area between the “good” and the “bad” leaves enough space for attackers to slip in.

The damage already done: The case where a successful detection merely indicates a successful attack. In many cases, detection occurs late in the timeline of the attack, after the damage has already occurred. For example, only after large quantities of information have already been leaked out.

Moving target defense

To overcome these limitations, a new paradigm is required. In contrast to NIDS and HIDS, Moving Target Defense (MTD) doesn’t try to detect the enemy. Instead, it attempts to prevent the enemy from entering in the first place. Under the MTD model, there is no monitoring, no detection rules, no signatures and no heuristics.

By continuously and persistently changing the attack surface, the attacker can be blocked and trapped before managing its first attempt to compromise the endpoint. Consequently, the elementary presuppositions used by attackers in planning and deploying their offensive steps become irrelevant. Each function call, jump to address or access to a resource entails potential failure – along with full exposition of the attack, its originators and its source.