Watch Usama Fayyad's video version of this blog
We are living in a world that’s becoming increasingly challenging in terms of protecting against and avoiding cyberthreats. Not only have we seen tremendous growth in the scale of these attacks, but also in their variety as they have managed to morph into modalities that are much more difficult to detect. As I’ve always said, a lot of the defenses that exist today are about detecting and blocking the knowns and allowing the known safe programs and applications to pass through. That mode doesn’t work when you enter the world of “weaponized at runtime” (WRT) where a payload looks innocent, comes in through your firewall, gets passed all the protections and then gets weaponized at runtime, turning against you in a modality, particularly when it doesn’t leave easy evidence to trace like files and other droppings. So there is a need here to upscale the protection, leverage technology, including AI and thinking about new ways to tackle this growing problem.
In my opinion, we have entered a crisis mode in cybersecurity, evidenced by an epidemic of an exponentially growing number of attacks as well as a growing frequency of attacks. In addition, these attacks have been taking a new format where they are memory based, they don’t leave any easy traces to tackle or easy ways to block. They wait until the execution time and then they formulate the attack and that is what we call weaponized at runtime. The framework of protecting the perimeter doesn’t quite work here. The underlying assumption in protection must be assume that you are vulnerable, assume that you have been breached, and think about what mechanisms you have for reacting to those breaches that can respond in real time and detecting when something bad is happening. In the space of protecting against the unknowns, it is a much harder problem to protect against what happened in the past based on analyzing patterns retroactively because:
The approach of analyzing what’s going on and logically determining that something bad or suspicious is happening is going to be much more effective in this space.
In cybersecurity, there is an alarming trend that several industry names are following which puts forth the effort to keep protecting against what we already know. We keep buying protections to protect the perimeter, such as, we keep investing in firewalls and we react to a lot of known threats that are talked about. In the industry, people talk about zero day vulnerabilities, which is just a fancy term for threats that have been in our systems and networks for up to years without being detected. And suddenly they become known and then we launch a reaction to them.. In my opinion, the assumption should always be that you have already been breached, how do you react to that breach, and what do you do about it once that threat is inside your firewalls, inside your networks, in your applications and doing something? With the growth and frequency of attacks, this kind of thinking is significantly more important and probably one of the few effective defenses that allow us to do something against this growing threat that’s coming from the variety of modalities which are acting with applications, from the Internet of things, and the many ways that the bad guys have of breaching your systems.
Patching is something that of course should be done as basic hygiene. Patching is when the author of an application is reacting to known threats and is understanding certain vulnerabilities is then publishing a fix to the application against these known threats. The real issue that’s happening is that these new vulnerabilities that basically--and I actually shouldn’t call them new because many of these vulnerabilities, known as zero day vulnerabilities are vulnerabilities that exist in the system, in the application for a long time and sit there undetected. We believe they are unexploited vulnerabilities but we don’t know actually. And it turns out in reality that it would take a visible event of a large scale for us to notice and react as a community and then cause the authors of the software to react with a patch.
A more effective approach here is to actually detect whether an applications execution has somehow changed from the expected, from the normal. One of the most effective ways to do this is to study the trace in real time of the functions that are being called and how they are returning. Are they returning to the right spot, the usual spot or are they returning to a different spot? That is one of the biggest telltale indicators that something bad has happened. That is a world where we can keep up with a lot of these growing threats that are exploiting these lower level libraries, that are sitting in systems and getting weaponized in run time. They look very innocuous until they are executing. You can catch them when they try to do something bad.
Usama Fayyed is co-founder and CTO of Ooda Health, a healthcare technology company, as well as Founder and Chairman of Open Insights, a data strategy, AI and machine learning company. His background has mostly been in technology, starting in a PhD in AI/Machine Learning and working at places like NASA JPL, Microsoft. He’s been Chief Data Officer at financial institutions, like Barclays in London, and technology companies like Yahoo in the Silicon Valley
Watch Usama Fayyad's video version of this blog
Related Video and Blog: Troels Oerting - Attacks that Weaponize at Runtime and Blog-Changing Our Approach to Security