• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

The Black Swan in Security Statistics ~ Zero Day Malware

October 11, 2017 By Teri Radichel

Using a risk model based on security statistics is a valid and useful approach to defending against cyber attacks. A company can decide that if one type of attack is affecting a large percentage of companies, then chances are, they may be next. The company can take steps to defend against that attack. However, sometimes past statistics are not enough and can be misleading.

zero day malware

Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets by Nassim Nicholas Taleb is a book that I found particularly insightful. I read this book before its predecessor, The Black Swan: Impact of the Highly Improbable. These books challenge thinking based solely on what is known, past statistics, and Gaussian distributions (or bell curves to you and me).

For example, in the book one investor was making a massive amount of money on a type of investment based on a pattern he discovered. Unfortunately, he did not consider that something outside this trend he saw might be possible. When the market changed, his wealth vanished.

The “Black Swan” in the first book is the idea that just because you have never seen a black swan, doesn’t mean one doesn’t exist. Decision-making based on faulty statistical logic can be very detrimental because often the random, catastrophic event causes much more damage than known risks.

This concept applies very well to the experiences faced by many security people who knew what was possible, but executives had not yet seen it happen to them personally so they didn’t believe it would. That is, not until we got to the point where multiple cyber attacks and data breaches were in the news every day. Hopefully by now, security people have less problem convincing people that breaches can and will happen and companies should prepare for them.

Traditional Security Products Block Only the Known

Some security technologies base protection on past statistics. For example, a traditional anti-virus product blocks software that has already attacked someone else. When security professionals and tools figure out that a file is a malicious executable, they create an abbreviated copy of that malware called a hash or a “signature” which identifies the malware based on various known characteristics. A traditional anti-virus product or IPS (intrusion prevention system) blocks files or packets matching known hashes or signatures on other hosts or in network traffic.

Although signatures and hashes help block known threats, they do not protect against unknown attacks that no one has seen yet, or in other words zero day malware.  At some point, that malware was new. The malware could be based on prior malware but was altered in some way so it no longer matches the known characteristics used to match and stop it. It could be polymorphic malware that is constantly changing as it executes. A machine running a traditional security product would be unprotected.

So, is the traditional approach of matching signatures and hashes useless? No! Known malware and known vulnerabilities still cause a vast number of cyber incidents. In the Q2 WatchGuard Internet Security Report, our Gateway Antivirus service caught 47% of malware reported by customers. Signatures and hashes are one of the most efficient ways to identify known malware and block it which improves the performance of security systems.

Protecting Against the Unknown

How can companies protect systems and networks from the unknown? WatchGuard offers security services that spot malware never seen before using many different techniques not based on signatures or hashes.

  • WatchGuard APT Blocker focuses on behavioral analysis, identifying and submitting suspicious files to a cloud-based sandbox where the code is emulated, executed, and analyzed to determine its threat potential.
  • WatchGuard Gateway AntiVirus  now uses signatures and dynamic heuristic analysis (behavior analysis) with code emulation to catch polymorphic viruses and malicious code that signatures can’t catch.
  • WatchGuard Threat Detection and Response (TDR) is a collection of tools that correlate threat indicators from Fireboxes and Host Sensors to stop known, unknown and evasive malware threats.
  • WatchGuard Dimension is an award-winning security monitoring product that provides visibility and reporting to help companies identify network security threats, issues, and trends. This information helps network administrators create security policies based on environment specific data.

Security Services Need to Be Enabled to Protect You

The entire WatchGuard suite of tools offers an array of techniques to identify unknown as well as known malware. The most important thing WatchGuard customers need to do is to enable the different services on their Fireboxes and endpoints. WatchGuard offers advanced protection by delivering many services that work together, but only the enabled services can help. Make sure you are getting all the protections available by following the instructions in the documentation and contacting WatchGuard customer support if you need help. — Teri Radichel (@teriradichel)

 

Share This:

Related

Filed Under: Editorial Articles Tagged With: antivirus, cyber breach, cyber security, file hash, firewall, hash, information security, known security threats, Malware, malware sandbox, malware signature, polymorphic malware, Sandbox, sandbox security, secplicity, security heuristics, security statistics, security threats, signature, Threat Intelligence, unknown security threats, virus, WatchGuard

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use