Many of the articles we post here discuss malicious operations, or what we call Malops. This is because the Cybereason philosophy is that the attack methodology matters much more than the exploits and tools that the hackers leverage. Exploits will be patched and tools will evolve and change, but attack methods and hacker behavior are more likely to remain the same over time. By analyzing this angle of a cyber attack, we are able to better recognize malicious behavior and react faster to a threat.
The main idea behind this approach is that being able to identify malicious activity sooner will give you a leg up on an attacker. A zero day exploit by itself is a threat, but it’s only a method for the attackers to gain access to your system. Once they’re inside, the exploit becomes unimportant. By focusing our assessment on the behavior and activity, rather than the file signatures and hashes, we can recognize the malicious operation before the attackers have enough time to start exfiltrating data.
An example of this is one of the zero day exploits released in the recent Hacking Team data leak. Because of our focus on behavior, we were able to instantly identify the privilege escalation activity within our lab when testing it against our platform, without changing anything in our own system.
“The exploits themselves, while dangerous, aren't the most interesting thing here,” says Amit Serper, Senior Security Researcher. “Any antivirus can detect using signatures, the signatures always come after the damage had happened. It’s a game of cat and mouse out there. New exploit - patch; new exploit - patch; repeat. We at cybereason actually made a paradigm shift long ago. That is why the company was founded and that is why we are able to catch zero days so quickly.”
Penetration is inevitable, and it doesn’t matter which drivers or applications are vulnerable to an exploit. If you are able to detect abnormal activity in your environment and react to it as it occurs, you’ll be able to take a proactive stance against cyber attacks and stop hackers in their tracks.