Войти в систему
Войти с помощью соц. сетей:
When designing a signature strategy, it’s wise to try to understand the attacker’s perspective. Attackers are playing a constant game of cat-and-mouse. Their intent is to blend in with regular traffic to avoid detection and maintain successful ongoing operations. Like any software developers, attackers struggle to update software, to remain current and compatible with changing systems. Any changes that are necessary should be minimal, as large changes can threaten the integrity of their systems.
As previously discussed, using multiple signatures that target different parts of the malicious code makes detection more resilient to attacker modifications. Often, attackers will change their software slightly to avoid detection by a specific signature. By creating multiple signatures that key off of different aspects of the communication, you can still successfully detect the malware, even if the attacker has updated a portion of the code.
Here are three additional rules of thumb that you can use to take advantage of attacker weaknesses:
Focus on elements of the protocol that are part of both end points.
Changing either the client code or the server code alone is much easier than changing both. Look for elements of the protocol that use code at both the client and server side, and create a signature based on these elements. The attacker will need to do a lot of extra work to render such a signature obsolete.
Focus on any elements of the protocol known to be part of a key.
Often, some hard-coded components of a protocol are used as a key. For example, an attacker may use a specific User-Agent string as an authentication key so that illegitimate probing can be detected (and possibly rerouted). In order for an attacker to bypass such a signature, he would need to change code at both end points.
Identify elements of the protocol that are not immediately apparent in traffic.
Sometimes, the simultaneous actions of multiple defenders can impede the detection of malware. If another defender creates a signature that achieves sufficient success against an attacker, the attacker may be compelled to adjust his malware to avoid the signature. If you are relying on the same signature, or a signature that targets the same aspects of the attacker’s communication protocol, the attacker’s adjustment will affect your signature as well. In order to avoid being rendered obsolete by the attacker’s response to another defender, try to identify aspects of malicious operations that other defenders might not have focused on. Knowledge gained from carefully observing the malware will help you develop a more robust signature.
Войти с помощью соц. сетей: