How to Detect New Threats via Suspicious Activities
Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. To avoid these damaging circumstances, it is important to detect unknown malicious behaviour efficiently. This article outlines the challenges of new threats’ detection and provides a guide to detecting and responding to new threats, with a focus on indicators of malicious behaviour.
Challenges of new threats detection
New threats can take on a variety of forms and present distinct challenges for their detection, such as:
- Polymorphism: Malware developers modify the malicious code to generate unique variants of the same malware.
- Not identified: Some threats are still not identified and don’t have any rulesets for detection.
- FUD: Some threats can be Fully UnDetectable (FUD) for some time and challenge perimeter security.
- Encryption: The code is often encrypted, making it difficult to detect by signature-based security solutions.
- Low and slow: Malware authors may use a “low and slow” approach, which involves sending a small amount of malicious code across a network over a long time, making it harder to detect and block.
Detection of new threats
To detect new threats, researchers must use reverse engineering, static analysis, dynamic analysis, sandboxing, and heuristics to determine the malicious nature of code. Tools such as Process Monitor and Wireshark, as well as ANY.RUN, can help with these steps. The most important focus should be on indicators of malicious behaviour.
Monitor suspicious activities for effective detection
In computer security terminology, a signature is a typical footprint or pattern associated with a malicious attack on a computer network or system. Behavioural signatures are especially important when detecting threats, as all activities in the OS leave behind a trace. By running a suspicious program in a sandbox to observe its behaviour, malicious activities such as abnormal file system activity, suspicious process creation and termination, abnormal networking activity, and more can be identified.
For example, Microsoft Office launching PowerShell is suspicious, as is an application that adds itself to the scheduled tasks, or a svchost process running from the temp registry. Other suspicious activities may include attempting to delete shadow copies, creating a TXT/HTML file with readme text in each directory, or sending credentials, OS characteristics, or other sensitive data collected locally from an infected system.
Use case #1
Here is a sample of the stealer. It steals user data, cookies, wallets, etc. The malicious intentions of the threat can be revealed when the application opens the Chrome browser’s Login Data file.
Use case #2
Malicious applications may attempt to stop Windows Defender or create an exclusion for themselves, activities which are not typical of legitimate programs. If user data is encrypted in the process, it can be assumed to be ransomware.
Conclusion
Behaviour analysis enhances organisations’ ability to respond to new and unknown threats and strengthens their protection without additional costs. Cybercriminals can use unknown threats to extort businesses for money and launch large-scale cyberattacks, but these can be identified and prevented by focusing on indicators of malicious behaviour. Try ANY.RUN online interactive service to monitor suspicious activities and get the first results immediately.
Key Points:
- Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike.
- Known malware families are more predictable and can be detected more easily, while unknown threats can take on a variety of forms, causing a bunch of challenges for their detection.
- Reverse engineering, static analysis, dynamic analysis, sandboxing, and heuristics can be used to detect new threats.
- Behavioural signatures are especially important when detecting threats, as all activities in the OS leave behind a trace.
- Focus on indicators of malicious behaviour to detect any threat, even without signatures.
– Behavior analysis enhances organizations’ ability to respond to new and unknown threats and strengthens their protection without additional costs.