Much has been made of malware and its need to maintain an active network connection. In many ways, entire market segments were birthed from this notion. User and entity behavior analytics (UEBA) and cloud access security brokers (CASB) tools have capitalized on this fear for the past three years. Additionally, lateral movement – as witnessed in some of the most prominent breaches this decade – required jumping from one connected device to another, and leveraging a pathway out.
The use cases for UEBA and CASB appear strong. Detecting insider threats, data exfiltration, external actors, and monitoring users is a top-down approach. Without the network, none of these things can be done.
The Reality of Disconnection
In an “always-connected” world, people don’t think about losing their access. While losing Internet access is quickly recognized, it is not typically associated with malicious activity. How would the average person differentiate between slow hotel, airplane, or Starbucks Wi-Fi, and the mark of a state actor?
It also isn’t often that we hear about bad guys taking a machine offline. In fact, one of the key remediation actions on infected machines is to disable its network interface until a security analyst can perform in-person forensics. An old adage goes something like, “If you want to keep your machine safe, pull the Ethernet cable.”
But we’ve seen the limitations of going offline. One of the greatest inhibitors to digital rights management (DRM) is that authorized users must receive a license to open files. If an executive forgets this before a transpacific flight, they can’t do their work.
Beware of Compromised or Alternative Hosts
In 2015, Cylance researchers discovered that routers produced by ANTlabs had a vulnerability which ultimately allowed attackers to infect the computers of Wi-Fi users with malware. This wasn’t restricted to hotels – the routers were also used in convention centers and private data center providers. Legitimate Wi-Fi hosts were also compromised.
This came hot on the heels of the Darkhotel APT, which caused havoc and mayhem to globe-trotting executives traveling to Asia (90% of infections were in Japan, Taiwan, China, Russia and South Korea). Impacted industries were many, with a high degree of intellectual property at risk.
More recently, alternative Wi-Fi hosts at Starbucks, airports, and other public locations lure impatient web surfers into joining malware delivery hosts. At the Republication National Convention last year, security researchers at Avast set up fake hosts, exposing the identities of over 800 people. With the proliferation of Xfinity (Comcast) Wi-Fi and other community services - which will form the backbone of the forthcoming 5G networks - this risk will increase dramatically.
This was also demonstrated at RSA 2014, where Bluebox Security showed how easy it was to create a spoofed SSID, causing devices with saved networks to automatically connect. The only way to determine whether it was real or genuine is by inspecting the base station MAC address. But by that time, it’s often too late and devices are already connected.
Malware That Attacks the Connection
Assuming that the bad guys normally want to maintain a connection with their target, there are a couple of situations which would influence an attacker to actually kill the network interface:
- Retail POS – taking out any communication so it can’t process payment, or connect to the retail/store management backend.
- Healthcare Operations – Many of the devices used by providers are controlled by traditional off-the-shelf PCs. Patient management and health record systems also run through web browsers. Disrupting this could impact health, safety, and even lives.
- Diversionary Tactic – Disrupting a network segment, thereby causing SecOps to focus on it, opens up an opportunity for bad guys to do damage or exfiltrate data elsewhere.
- Bottom-up DDoS – Rendering devices unusable has the same net effect as a distributed denial of service (DDos), albeit 'bottom-up' instead of 'top-down'.
- Covering Tracks – Finally, criminals can cover their tracks – after performing malicious activities – in a similar fashion to burning down the building after robbing it.
In these five simple cases, going offline benefits the bad guys. And detecting it isn’t simple.
When I’m Disconnected, Who is Protecting Me?
In the era of advanced endpoint security, most of the currently available tools rely on threat intelligence. While the promise is strong – leveraging knowledge from across vendors and around the world – it is predicated on a fatal flaw.
The information has to flow down to the endpoint through signature or other updates (and success/failure has to go back to the intelligence source, resulting in increased network traffic).
That means that even the most advanced detection and protection systems will be out of date the day a new signature is released.
Not so with Cylance. As proven over and over and over again, Cylance’s patented math models are effective months – if not years – ahead of the exploit. This means that a model released in late 2015 was just as effective in preventing Petya in the middle of 2016 as it was in preventing Graftor in January, 2017. The evil of Sauron/Strider/Remsec was predicted in January 2015, a full 18 months before the ‘zero-day’ report in August, 2016.
And Cylance’s advanced math models work offline or online.
Why Trust Your Incumbent Vendor?
Layering new techniques and technologies on top of a flawed core won’t make things better. Trusting persistent internet access with these antiquated tools will only get you into trouble.
That’s why you should always test for yourself. Try Cylance offline against malware, ransomware, scripts, or memory exploits. Check out some really impressive new testing methodologies in the report: AV-TEST Results.
And, now, use Metasploit, Shelter, or Veil-Evasion against Cylance. You’ll see that it stops it all.
Online or offline.