Signature- or Behavior-Based Security?

Ashley Garner
Ashley Garner
May 11, 2022

In the war of signature versus behavior-based detection, there is no victor. These critical and complementary technologies were exactly what the world needed. But the time has come for a new solution. There’s a new way of protecting, and it combines all the best aspects of what we know today, plus that critical component that’s missing from today’s traditional solutions: reputation.

Detection vs. Protection

Some technologies are simply designed to “detect” suspicious activity and then log it or alert something or somebody that there has been a detection. In other words, these technologies do nothing about the incident other than telling something or somebody that something has been seen.

Protection on the other hand must first detect something suspicious has been seen, and will then take action to prevent that “thing” or “code” from detonating or becoming active on your network.

Think back to the good old days when there were just a handful of virus detection/protection solutions out there like Norton Antivirus. If you had Norton for personal or home use, you could go into the quarantine folder, find all the virus files that Norton detected attempting to access and install on your computer, and see that Norton had quarantined it – essentially rendering it useless and unable to execute.

So hackers bought Norton and other antivirus software solutions and learned how to bypass them. It is now fairly safe to assume they own versions of nearly all IDPS solutions and work vigorously to learn how to circumvent their detection capabilities.

Signature-Based Detection & Protection

When you purchase and install your first anti-malware solution, the first thing it will do is reach back to the vendor’s database of malware signature rules and download them onto your system’s app. It will then routinely check the database for updates to attempt to stay as current as possible. As files are introduced to your network or a computer/device on your network, the security solution scans your system and compares the binary of those files to the list of binaries in its database.

If there is a match, a signature or “rule” tells the solutions to alert, block, quarantine, or prevent the file from executing or proceeding any farther. And therein lies the problem. The database is only updated as fast as signatures for newly identified malicious files can be identified, analyzed, tested, and verified as malicious.

Keep in mind, that some believe nation-state actors are now capable of slightly altering original malicious files an exponential number of times (think variants) using artificial intelligence, at an extremely rapid pace.

Therefore, the industry does its best to keep newly discovered malicious files quiet and under the radar, because they are racing against the clock to produce signatures before word spreads throughout the cybercriminal community where they can begin taking action. If vendors get their databases updated quickly enough, the odds of cybercriminal success diminish quickly.

Behavior-Based Detection & Protection

Behavior-based detection, sometimes called heuristics or anomaly-based detection, uses a completely different approach. To begin, behavior-based detection systems need to understand a detailed blueprint of your network. They need to see a network topology, understand all of your operating systems and applications, understand your firewall rules, and understand what normal data looks like as it traverses your network.

They may also incorporate your security policies, settings, and normal network/sysadmin functions into their understanding of your network “behavior.” Once the initial monitoring, recording, sampling, and data are all applied, the solution considers this your baseline.

After that point, any suspicious network traffic or alterations will most likely be detected and flagged as alerts or reported as suspicious activity.

Some examples of behavior-based detections might be:

  • never-before-used hosts suddenly appearing on your network,
  • an unusually high volume of transactions occurring at odd times compared to the baseline,
  • unusual login attempts to key pieces of network architecture like domain controllers,
  • patterns of data moving between machines in the middle of the night with no corresponding process, or
  • processes normally never used on any machines in your network start appearing.

Another critical aspect of behavior-based systems are the analysts who monitor them. Even better is if those people are threat hunting rather than just monitoring alerts. The main reason is that someone needs to ask “Why?” in regards to the alerts a behavior-based solution might generate. And threat hunters will not only inquisitively ask why, but also, how? And they’ll deep dive into what is happening that the solution thinks is malicious. During this investigation process, it is likely they’ll discover other things the solution didn’t see during their investigation.

Aside from the fact that all of this takes a significant amount of time, resources, and expertise – the glaring issue with all of this is: What if cybercriminals are already inside your network when the initial baseline is determined? They may simply look like part of your normal.

A New Concept: Reputation-Based

Instead of signatures and rules and binary and behaviors, what if you could see what and who your resources are communicating with, in both directions, and know if those communications are with reputable or suspicious Internet Protocol (IP) address space on the internet?

Many people aren’t aware that IP space is mathematically finite, but all of what is there has always been there. That means since the beginning of the internet, there is a history for every single IP on the internet (roughly around 8.5 billion IPs). Even if the IP has never been used or taken by someone for use, that is its history: unused.

This IP history is incredibly valuable because IPs go through many users and shared users over time. Also, many IPs are used simultaneously by multiple hosts, such as multiple websites, multiple databases, and so on. It is true also that many are hosting just one user, system, server, mobile device, IoT camera, etc. at a time.

This can lead instantly to an easy set of questions:

  • Do I want my company enterprise to communicate with IP space in foreign countries?
  • Do I want my company enterprise communicating with domains less than 1 month, 3 months, 6 months, 1 year, 2 years old?
  • Should any of my machines be communicating with IP space known to host malware or be part of a ransomware or hacker group’s infrastructure?
  • How do I know the reputation of any particular IP address or domain?
  • What about communicating with the dark web?

These IP and domain histories are valuable because everyone from solo hackers to nation-state-sponsored threat actors lease IP space and domains – sometimes for quick, temporary purposes or often long periods of time. In the case of the latter, it usually is well-known that those are high-risk IP addresses. But in the case of the former, many are unsure what to call it until something happens with it.

Would you block communications to Amazon Web Services if you found out hackers hide malware in domain resources hosted by AWS? Or Google Cloud? Or Microsoft Azure? Because they all have bad guys leasing space and setting up domains (or hacking into someone else cloud-based domain) and are storing their malware there. Those cloud providers just don’t have the capacity to scrub the entire cloud and catch them all. So will you block communications to those cloud providers? Of course not. You do business there as well.

There are many reasons an IP or domain can have a high-risk rating. It can be as simple as geographic region, or nation-state owned/leased IP space. It can be due to levels of threat intelligence reports indicating the IP is often used for hosting malware or used as a hopping point in cyberattacks. It might be based on the date of domain creation or the age of domains used in business.

What if you could control those communications based on those reputations such as kill the connection attempts or allow and observe what they’re doing? It is all possible and we advocate adding that capability to your security stack as soon as possible. We believe there are simply more, early, and better indicators of malicious activity just in the connection analysis of your company’s network to the outside world.

Intrusion Shield in Your Security Stack

Despite thousands of companies having valuable security stacks managed by qualified security experts, it seems every day a new company suffers a ransomware attack or data breach. We’ve blogged in the past about the anatomy of a cyberattack and have highlighted how phishing is still the top first-strike method for hackers to walk past your security stack.

The reality is that at least some of those phishing emails are going to get into the inboxes of your employees. The real problem is what happens after your employee downloads the file, clicks the link, or opens the app. The emails will often come from non-suspicious-looking sources because they’re spoofing legitimate email addresses. That is step one. But step two is when your employee clicks the link or opens the file and a script “call-home” to an IP/domain to download the next stage of malware.

Few solutions adequately identify good IP space from bad. Some vendors claim they’re aware of 500 million bad IPs. That’s a fraction of the 3.5 billion that should have a high-risk, poor reputation score. Intrusion Shield monitors every packet from every port and every protocol traveling in both directions, to and from your network.

We are certain integrating Intrusion Shield into your stack will save your security analysts valuable time and resources to locate and stop malicious activity within your network before it becomes serious.

Resources that might interest you.

Get on our email list.