Strategies to identify and thwart intruders utilizing these diverse strategies
Camouflaging is a crucial tactic for safeguarding software that also poses threats, particularly when exploited by malware developers. In this piece, we explore camouflaging, its ramifications, and countermeasures.
What Constitutes Camouflaging?
Camouflaging refers to the act of purposefully complicating information readability, particularly in computer programming. A significant application is data camouflaging, where sensitive data is rendered unrecognizable to shield it from unauthorized access. Diverse techniques are employed for this purpose.
For instance, credit card numbers typically reveal only the final four digits, with the other digits being substituted with Xs or asterisks. Conversely, encryption involves transforming data into an indecipherable format that necessitates a unique key for decryption.
Camouflaging in Programming
When program code is camouflaged, intricate language and redundant logic are incorporated to obfuscate the code. The objective? To mislead both human readers and tools such as decompilers. To achieve this, sections of the code are ciphered, metadata is eradicated, or meaningful identifiers are replaced with meaningless ones. Embedding unused or meaningless code is also a prevalent technique to mask the actual code.
An obfuscator, as it is termed, can automate these procedures and alter the source code to maintain functionality while becoming more obscure.
Other camouflaging methodologies encompass compressing the entire program to render the code indecipherable and altering the control flow to generate unordered, intricate logic.
Integrating inconsequential code that exerts no influence on the logic or the program’s output is another common practice.
Several techniques are frequently amalgamated to yield a multi-layered effect and bolster security.
The Adverse Aspect
Regrettably, camouflaging is not solely a protective mechanism; it also poses challenges. Camouflaging is utilized by not just legitimate software developers but also malevolent software creators. The objective of camouflaging is to anonymize cyber attackers, diminish detection risks, and cloak malware by altering the overall fingerprint and signature of the malicious code, even if the payload is a recognized threat. The fingerprint denotes a hash, a distinct alphanumeric representation of a malware element. Signatures are commonly hashed, though they can also signify another concise representation of a distinctive code within a malware element.
Instead of striving to formulate a new signature through modifying the malware itself, camouflaging concentrates on deployment mechanisms to deceive antivirus solutions reliant on signatures. Contrast this with the utilization of machine learning, predictive analysis, and artificial intelligence to enhance defenses.
Camouflaging, or the veiling of code, can be simultaneously “positive” and “negative”. In instances of “negative” camouflaging, hackers meld diverse techniques to mask malware and construct multiple layers of disguise. One such technique is packers, software packages that compress malware to mask its presence and render the original code illegible. Additionally, cryptographers encrypt malware or segments of software to confine access to code capable of alerting antivirus programs.
Another strategy is integrating redundant code. This practice entails embedding useless code into the malware to obscure the program’s manifestation. Attackers may also employ command alteration, which revolves around modifying the command codes in malware programs. This transmutes the code’s visual presentation while leaving its functionality unaltered.
Camouflaging in the code, as demonstrated, represents merely the initial phase since despite the hacker’s extensive efforts to camouflage the code to circumvent EDR, malware must establish communication within the network and externally to achieve “success”. Consequently, communication must equally be concealed. In contrast to the past where networks were rapidly scrutinized and immediate endeavors were made to extract data in large quantities at once, contemporary attackers communicate discreetly to evade notice by monitoring tools’ sensors and switches.
The objective of procuring IP addresses via scanning, for instance, is now executed gradually to evade detection. Reconnaissance, where threat actors strive to gather information about their intended victims, such as their network structure, is also conducted at a slower pace and with greater opacity.
An elementary camouflaging approach is Exclusive OR (XOR). This technique obfuscates data in a manner only intelligible to individuals correlating the code with 0x55 XOR. ROT13 constitutes another stratagem where letters are encoded using a specific scheme.
Recollections of the Past:
- An infamous instance of camouflaging is the SolarWinds incident in 2020. Hackers exploited camouflaging to evade defenses and obscure their incursions.
- An intriguing case is PowerShell, a Microsoft Windows tool exploited by attackers. Malware leveraging PowerShell conceals its operations through techniques like encoding strings, obfuscating commands, executing dynamic code, and more.
- Another example is the XLS.HTML assault. Here, hackers employed intricate camouflaging methods to obscure their malicious deeds. They altered their encryption manners at least tenfold within a year to hinder detection. Their methodologies featured plain text, escape encoding, Base64 encoding, and even Morse code.
- In another threat, malefactors exploited ThinkPHP vulnerabilities to execute remote code on servers. They implanted a concealed web shell named “Dama” that facilitated sustained access and further assaults.
Reasons to Diversify Beyond Solely Relying on Signatures
Sole dependence on signature-based detection is akin to an aged companion–it’s dependable in identifying known threats. However, with novel, unfamiliar threats, it can occasionally prove inadequate. Here are several rationales why relying exclusively on signatures is ill-advised:
- Malware developers are adept at concealing their malicious programs. They employ various techniques to mask their malevolent activities. Even minor alterations to the code can impede signature identification.
- With polymorphic malware, malware emulates a chameleon. It constantlymodifies its format to evade detection. Each time it is run, the script displays a distinct appearance.
- No chance for fixed signs? Metamorphic malicious software is even more cunning. It adjusts while running and alters its script dynamically, rendering it nearly impossible to detect with fixed signs.
- Furthermore, zero-day vulnerabilities act akin to the “newcomer”: they are fresh and unknown, and signature-oriented systems have zero probability of identifying them.
- In addition, when a fixed sign-based solution returns excessive false positives, it becomes ineffective. Too many erroneous alarms in daily operations impact your security squad and consume valuable resources.
In summary, sign detection, for instance, in an EDR, proves to be a beneficial tool, but alone, it is insufficient to repel all threats. A more comprehensive security approach that integrates behavioral scrutiny, machine learning, and other contemporary tactics is imperative.
Reasons NDR Tools Hold Significance
Anomaly-focused IDS solutions operate like detectives who monitor a system’s typical behavior and issue a warning upon identifying abnormal activities. However, Network Detection and Response (NDR) tools go even further: they continuously adapt to stay ahead of the ever-changing cyber threat landscape and provide a notably higher level of security than traditional fixed-sign approaches by leveraging their advanced analysis and integration capacity. They are capable of identifying and safeguarding against both known and unknown threats.
Here’s Their Methodology:
- Behavioral Scrutiny: NDR tools keep track of network traffic and evaluate behavior. They pinpoint unusual patterns that might indicate command-and-control (C&C) communication, such as irregular data transfers.
- Protocol Inspection: They inspect HTTP requests, DNS traffic, and various other protocols to identify suspicious actions or communication that could be linked to cloaked malware.
- Meta Insight Analysis: NDR tools assess metadata to uncover uncommon patterns pointing to dubious activities. Machine learning models aid in recognizing typical masking methods that become apparent through suspicious acts in network traffic.
- Extended Communication Surveillance: As concealing communication is vital to hackers nowadays, as they embrace slower and more covert methods to elude detection and gather data within and beyond networks, it is advantageous that NDR also delves into longer time spans, for instance, 3 days, in addition to its capacity to conduct batch operations, for example, within minutes, to establish comparative values and monitor and expose anomalies, and real-time alerts would result in a flood of notifications if a scan identifies a ping every minute or so. But is every ping an invasion? Definitely not!
- Mitre ATT&CK and ZEEK: These frameworks offer valuable insights into threats leveraging obfuscation. Their fusion with NDR tools significantly enhances threat identification capabilities.
- Menace Data Sharing: NDR tools exchange threat data with other security solutions. This facilitates quicker identification of known masking methods and suspicious activities. Integrating with EDR tools enables them to link dubious activities on endpoints with network traffic, significantly boosting security analysis.
For more insights on why NDR is an essential security tool and how it exposes even the most sophisticated threats and intricate forms of obfuscation, download our whitepaper on Advanced Persistent Threat (APT) detection.
To observe how NDR functions within your corporate network and precisely how it identifies and responds to APTs, view our recorded APT detection video.
About Author
