Cybersecurity Moneyball Part 2: Binary Defense’s New Paradigm in Malware Detection

This post was written by ARC Labs Contributor, John Dwyer, Director of Security Research at Binary Defense

In the first part of this series, we discussed how Binary Defense has innovated within the deception market by offering Managed Deception which makes deception technology accessible to every organization. In this installment, we explore how Binary Defense is revolutionizing malware disruption by shifting the detection point to a place where common evasion and obfuscation techniques are ineffective. 

The Cat and Mouse Game of Malware Detection 

As the cybersecurity landscape evolves, so do the tactics of attackers. While there have been significant advancements in detecting malware and malicious actors within networks, many security products still rely on signatures derived from reverse-engineering malware. This process involves identifying immutable pieces of code or collecting data as processes execute, then uploading this data to cloud services for computationally expensive analytics to determine if a process is malicious. This approach results in a never-ending cat-and-mouse game where attackers continuously invent new ways to obfuscate or evade detection. 

A New Disruption Paradigm 

In a previous blog, we discussed how the “businessification” of cybercrime has coalesced around tried and true tools, techniques, and procedures, giving us a solid understanding of how these attacks happen. Despite significant advancements, attackers still find ways to evade detection due to various reasons, such as bypasses or misconfigurations. This is where Binary Defense’s Managed Deception shines and forms the core of our cybersecurity Moneyball strategy.

Building on this foundation, Binary Defense has developed a patent-pending attack disruption technology that is a critical evolution in defense against modern cybercriminals. Instead of relying on signature-based detection methods or expensive back-end cloud analytics, Disrupt focuses on a fundamental process in malicious code execution that is universally shared by all the commonly used command and control (C2) frameworks. This empowers security teams to thwart attacks early in the Cyber Kill Chain without impacting legitimate computing processes.

Our strategy operates within a space not utilized by attackers, allowing us to maintain high-fidelity detections for common attacker tools and malware without relying on backend cloud security processing power. This streamlined detection library for common malware payloads increases detection speed and efficacy, aligning with our Moneyball strategy: not simply throwing more expensive tools at a problem but approaching it in a smarter way that allows us to do more with fewer resources. 

Innovation in Initial Access Tactics 

Our analysis of the threat landscape reveals significant innovation in initial access tactics by cybercriminals. They have developed novel ways to conduct social engineering campaigns, leverage credential theft from the infostealer malware ecosystem, and use newly released exploits for code execution. However, there has been less innovation in the attack lifecycle once criminals gain access to an enterprise network. Often, cybercriminals use newly released command and control (C2) frameworks from the red teaming community that implement evasion and obfuscation methods to bypass automated detections in common security products. 

The Shift to New C2 Frameworks 

A few years ago, almost every ransomware operator was using Cobalt Strike. As security vendors improved their detections, criminals moved to other C2 frameworks like Merlin, Havoc, and others, facilitating interactive system access and evading detection temporarily. As security vendors catch up, criminals move to yet another tool, and the cycle continues. 

Fundamental Detection Opportunities 

By analyzing how common C2 frameworks execute their implants, we identified commonalities between these frameworks and widely used post-exploitation tools. These commonalities reveal fundamental requirements to interact with the Windows operating system for payload execution—areas not currently monitored or leveraged by security vendors as opportunities for detecting malicious code. Attackers have not implemented evasion and obfuscation methods in this area, making it a greenfield battleground. 

Testing and Results 

We tested our new detection mechanism against commonly leveraged C2 frameworks and post-exploitation tools. Using typical attack chains of ransomware and data theft operators, we tested various Windows versions and C2 framework implementations. Our testing revealed that Binary Defense’s Disrupt technology has an over 90% detection rate against known C2 framework implants using a single detection technique. It is also immune to sophisticated evasion and obfuscation techniques.

Future-Resistant Detection 

Condensing our detection strategy to logical choke points of malware execution enables future-resistant detection with fewer resources. This approach positively impacts endpoint-level consumption for detections and allows Binary Defense to add additional capabilities without negatively affecting endpoint performance. 

Conclusion 

Binary Defense is changing the landscape of malware detection by targeting fundamental malware processes, ensuring robust and efficient detection without relying on traditional methods. This innovative approach exemplifies our “work smarter, not harder” strategy.