Steve McGregory
Ixia Senior Director, Application and Threat Intelligence
Blog

ATI Research Center–Better Odds with Us on Your Side

July 27, 2016 by Steve McGregory

The Ixia ATI Research Center is unlike most Threat Intelligence centers. We are different because we look at the world differently. We don’t just look for strengths in things, we look for weaknesses. We look at the products that are meant to protect your business, and we identify where they fall short. We’ve been doing this for over 11 years now, and in this blog, I’ll highlight how this experience protects and supports Ixia customers.

First, I need to mention two Ixia solutions that surface the ATI threat intelligence to users. Our BreakingPoint products live up to their name, bringing any networking device to its breaking point to help you layer your network defense in the best way to cover each of the weak links with another product’s strength. In our Threat Intelligence Gateway product line, ThreatARMOR plays a role in shoring up some weak links and removing known malicious activities from even bothering your layered network defense or cluttering your security logs.

ATI Improves the Odds Against the Zero-Day Mutations

Ransomware is using one of the security industry’s weakest links: the attackers are mutating their malware daily, and these become Zero Day Mutations that are not recognized by the majority of security products. You can read about this in our ATI blog, where Chuck McAuley dissects one of these mutations. These Zero Day Mutations are not recognized because most security products are signature-based and require first seeing the malware before implementing a signature for detection. There are other types of detection being developed, but the malware developers are also wise to their weaknesses and typically stay one step ahead (even offering non-detection guarantees). Malware makers are taking advantage of this gap in time before they are discovered and detected by a signature within your security product, by mutating and deploying these mutations as widely as possible. It’s a numbers game where the malware has an infinite number of possible mutations… advantage: malware.

The numbers look different when you look at a finite resource like IP addresses that are available for the malware distributors. While the malware makers can mutate an infinite number of times, they have a limited number of IP addresses from which they can serve these Zero Day Mutations.

With ATI Research Center you can even the playing field and even gain back the advantage. The Ixia ATI Research Center has developed a methodology of tracking these Zero Day Mutations. This research provides you coverage during the gap that exists before the malware is captured and you are covered by a signature that recognizes this Zero Day Mutation. This protection comes to you through the ATI Research Center in the form of our ThreatARMOR product. The ATI team tracks the resources being used to distribute these Zero Day Mutations and this intelligence is supplied to the ThreatARMOR cloud, protecting your users by blocking access to these malware distribution points on the Internet. The other benefit of blocking malware connections is lowering your operational costs, as you’ll spend less time dealing with alerts and remediating infected hosts.

The Malware Conundrum

How many malware samples must I test against my security defenses to know if I’m in good shape or not? That’s definitely a difficult question to answer. If you think all of them, then you need to be collecting many thousands of unique samples a day and confirming if your Anti-Virus or Network Security products identify and block them all. That’s not a realistic option. Fortunately, while the number of obfuscations that can be applied to a piece of code are almost limitless, the code once unpacked and executed doesn’t change as often.

The ATI team keys on the most prevalent malware being used in the wild and provides these to our BreakingPoint customers allowing them to determine the efficacy of security products in identifying malware. The ATI subscription provides frequent updates that provide these highly visible malwares along with their behavior within the network, allowing you to test each layer of your network security, operations, and processes. Read our Q2 Malware Update to get some insight into these malware that we’ve recently been tracking.

What About Sandboxing Solutions?

In recent years we’ve seen the addition of inline sandbox solutions meant to detect zero-day mutations that don’t yet have a signature. This is an excellent technology, and good step forward in the fight against malware. However, we constantly run into malicious code that is wise to sandboxing and evades by not executing or using tricks to make the sandbox think it is safe. ATI Security Researcher Adrian Hada has a blog series that provides good insight and details about the difficulties of trying to make sandboxes undetectable to malware. Most sandboxing systems run in a VM.  Because we see 70% of advanced malware able to detect VM sandboxing, the ATI Research Center has developed a sandboxing system in the cloud using physical servers. We see much better results detonating advanced malware on the physical sandbox systems, which gives us much better tracking of these Zero Day Mutations.

ATI Subscription Helps You Stay Ahead of Attacks

The Ixia Application and Threat Intelligence (ATI) Subscription for BreakingPoint provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms. It uses the malware research we conduct to provide not only new malware types, but new evasion techniques, communication protocols, and even actual IP addresses currently used in the wild by bad actors. When you apply Ixia products and the ATI subscription to your security environment, you are modeling the most realistic, current, and advanced threat scenarios available. You can understand your strengths, your vulnerabilities, and places where your vendors might be falling behind. You can evaluate the effectiveness of advanced security features and understand their performance impact. In essence, you can tilt the odds in your favor by staying one step ahead of the bad guys lined up against you. And who doesn’t like better odds?