Critical Features of Next-Generation Endpoint Protection, Part Two: Dynamic Malware Detection

Malware Detection

You won’t see the virus that gets you. The infection, once it happens, will persist on a compromised endpoint for months. It will disguise itself as an entirely unexciting background process in Windows, where it will slowly, invisibly cache important data. Over the course of weeks, bit by bit, it will transmit encrypted PII to a C&C server run by a bulletproof hosting service in Russia. You will find out about your problem via a concerned, sympathetic email from a security researcher, asking about an Excel file full of social security numbers listed for sale on the Darkweb.

You won’t see the virus that gets you—unless your next generation endpoint protection comes with Dynamic Malware Detection.

Attacking with Unknown Unknowns

As shown in our article on cloud intelligence, a lot of the malware that’s out in the wild has not been changed since its inception. That means that security researchers, by and large, have catalogued it. They’ve pinned it like a butterfly and found the mechanisms that it uses to infect endpoints, persist undetected, and steal data. Once these methods are discovered, researchers can write a signature which allows antivirus programs to identify, quarantine, and delete these viruses before they can execute.

As far as malware authors are concerned, this isn’t a very large problem. These criminals make their bread and butter from attacking targets that never installed antivirus in the first place. The fact that antivirus signatures exist for their malicious code is of very little concern.

Every once in a while, however, these cyber-criminals are tempted to pull off the kind of high-profile cyber-attack which targets a specific enterprise. Off-the-shelf malware is almost never used in these instances. Instead, malware authors will customize their code, both to evade specific defenses, and to confuse signature-based antivirus. Importantly, malware authors have never had to work particularly hard at this. Custom malware might just be two pre-existing blocks of code, from two previously separate pieces of malware, joined together in a novel way. That’s usually enough to confuse most mainstream signature-based endpoint protection products.

Dynamic Malware Detection: Filling in the Map

Once previously-unknown malware infects a system, there’s little that an administrator can do, unless they use Next Generation Endpoint Protection. Malware tends to persist, as we’ve said, by disguising itself as a benign Windows process.

This kind of disguise won’t evade a Next Generation Endpoint Protection solution such as SentinelOne. That’s because our Dynamic Malware Detection component taps all of the processes and threads that run on a given endpoint. Nothing on the endpoint is hidden from it, so malware can’t hide its malicious behavior. What’s more, bad behavior won’t go unrecognized.

Algorithmic Protection

SentinelOne’s in-house security researchers are constantly dissecting malware samples in order to understand how they operate. We’ve used these operations to train an algorithm that can analyze and recognize malicious behavior when it occurs. Once enough malicious behavior accumulates, SentinelOne can definitively tag that behavior as belonging to a malicious program.

Importantly, this method can catch attackers who use zero day attacks. Signature-based endpoint protection can’t stop zero day threats, because no pre-existing signature or pattern of behavior exists for it to recognize. Only dynamic malware detection can truly mitigate an unknown unknown.

If you want to learn more about how SentinelOne’s Next Generation Endpoint Protection Platform can help to mitigate both current and future threats, check out our white paper, “The Wicked Truths About Malware & Exploits,” or contact us today.