Yesterday, I read Sara Peters' article in Dark Reading: "DGA.Changer Gets Anti-Detection Upgrade," which discussed how DGA.Changer has added a new trick to its arsenal: A technique that fools security tools into thinking they've captured it while it's already slipped away.
Well, at Cybereason we believe that even these "fooling" techniques can be spotted using the right capabilities.
When you examine the attack in vitro, it is too easy for the attacker to fool you. The burden of making it work is on you and the attacker only has to choose which escape trick to use. This is especially highlighted when you use a one-shot decision model. If the malware fools you at that specific moment, it is safe to do as it will thereafter.
However, when you keep your eye on your whole environment, continuously, there is no way you can be fooled. Detection that is done in situ and looks at the actual behavior pattern of the attacker is bound to reveal his or her true nature. Cybereason detects both old and new variants of DGA-based malware, not by knowing them in particular, but by detecting their true nature in the system.