United We Stand, Divided We Fall.

If I had to single out a single development that elevated the sophistication of cybercrime by an order of magnitude, it would be sharing. Code sharing, vulnerabilities sharing, knowledge sharing, stolen passwords and anything else you can think of. Attackers that once worked in silos, in essence competing with each other, have discovered and fully embraced the power of cooperation and collaboration. I was honored to present a high-level overview on the topic of cyber collaboration a couple of weeks ago at the kickoff meeting of a new advisory group to the CDA (the Cyber Defense Alliance), called the “Group of Seven” established by the Founders Group. Attendees included Barclays’ CISO Troels Oerting and CDA CEO Maria Vello as well as other key people from the Israeli cyber industry. The following summarizes and expands upon my presentation.

 

TL;DR – In order to ramp up the game against cyber criminals, organizations and countries must invest in tools and infrastructure that enable privacy-preserving cyber collaboration.

The Easy Life of Cyber Criminals

The amount of energy defenders must invest in order to protect, vs. the energy cyber criminals need to attack a target, is far from equal. While attackers have always had an advantage, over the past five years the balance has tilted dramatically in their favor. Attackers, in order to achieve their goal, need only find one entry point into a target. Defenders need to make sure every possible path is tightly secured – a task of a whole different scale.

 

Multiple concrete factors contribute to this imbalance:

  • Obfuscation technologies and sophisticated code polymorphism that successfully disguise malicious code as harmless content rendered a large chunk of established security technologies irrelevant. These technologies were built with a different set of assumptions during what I call “the naive era of cyber crime.”
  • Collaboration among adversaries in the many forms of knowledge and expertise sharing naturally speeded up the spread of sophistication/innovation.
  • Attackers as “experts” in finding the path of least resistance to their goals discovered a sweet spot of weakness. A weakness that defenders can do little about – humans. Human weaknesses are the hardest to defend as attackers exploit core human traits such as trust building, personal vulnerabilities and making mistakes.
  • Attribution in the digital world is vague and almost impossible to achieve, at least as far as the tools we have at our disposal currently. This makes finding the root cause of an attack and eliminating it with confidence very difficult.
  • Complexity of IT systems has lead to security information overload which makes timely handling and prioritization difficult; attackers exploit this weakness by disguising their malicious activities in the wide stream of cyber security alerts. One of the drivers for this information overload is defense tools reporting an ever growing amount of false alarms due to their inability to accurately identify malicious events.
  • The increasingly distributed nature of attacks and the use of “distributed offensive” patterns by attackers makes defense even harder.

 

Given the harsh reality of the world of cyber security today, it is not a question of whether or not an attack is possible, it is just a matter of the interest and focus of cyber criminals. Unfortunately, the current de-facto defense strategy rests on creating a bit more difficulty for attackers on your end, so that they will go find an easier target elsewhere.

Rationale for Collaboration

Collaboration, as proven countless times, creates value that is beyond the sum of the participating elements. This is also true for the cyber world. Collaboration across organizations can contribute to defense enormously. For example, consider the time it takes to identify the propagation of threats as an early warning system – the time span decreases exponentially in proportion to the number of collaborating participants. This is highly important to identify attacks targeting mass audiences more quickly as they tend to spread in epidemic like patterns. Collaboration in the form of expertise sharing is another area of value – one of the main roadblocks to progress in cyber security is the shortage of talent. The sharing of resources and knowledge would go a long way in helping. Collaboration in artifact research can also reduce the time to identify and respond to cyber crime incidents. Furthermore, the increasing interconnectedness between companies as well as consumers means that the attack surface of an enterprise – the possible entry points for an attack – is constantly expanding. Collaboration can serve as an important counter to this weakness.

 

A recent phenomenon that may be inhibiting progress towards real collaboration is the perception of cybersecurity as a competitive advantage. Establishing a solid cybersecurity defense presents many challenges and requires substantial resources and customers increasingly expect businesses to make these investments. Many CEOs consider their security posture as a product differentiator and brand asset and, as such, are disinclined to share. I believe this to be short-sighted due to the simple fact that no-one is really safe at the moment; shattered trust trumps any security bragging rights in the likely event of a breach. Cyber security needs to progress seriously in order to stabilize and I don’t think there is value in small marketing wins which only postpone progress in the form of collaboration.

Modus Operandi

Cyber collaboration across organizations can take many forms ranging from deep collaboration to more straightforward threat intelligence sharing:

  • Knowledge and domain expertise – Whether it is about co-training or working together on security topics, such collaborations can mitigate the shortage of cyber security talent and spread newly acquired knowledge faster.
  • Security stack and configuration sharing – It makes good sense to share such acquired knowledge although it is now kept close to the chest. Such collaboration would help disseminate and evolve best practices in security postures as well as help gain control over the flood of new emerging technologies, especially as validation processes take long periods of time.
  • Shared infrastructure – There are quite a few models where multiple companies can share the same infrastructure which has a single cyber security function, for example cloud services and services rendered by MSSPs. While the current common belief holds that cloud services are less secure for enterprises, from a security investment point of view there is no reason for this to be the case and it could and should be better. A big portion of such shared infrastructures are hidden in what is called today Shadow IT. A proactive step in this direction is for a consortium of companies to build a shared infrastructure which can fit the needs of all its participants. In addition to improving defense, the cost of security would be offset by all the collaborators.
  • Sharing concrete live intelligence on encountered threats – Sharing effective indicators of compromise, signatures or patterns of malicious artifacts and the artifacts themselves is where the cyber collaboration industry is currently at.

 

Imagine the level of fortification that could be achieved for each participant if these types of collaborations were a reality.

Challenges on the Path of Collaboration

Cyber collaboration is not taking off at the speed we would like, even though experts may agree to the concept in principal. Why?

  • Cultural inhibitions – The state of mind of not cooperating with competition, the fear of losing intellectual property and the fear of losing expertise sits heavily with many decision makers.
  • Sharing is limited due to the justified fear of potential exposure of sensitive data – Deep collaboration in the cyber world requires technical solutions to allow sharing of meaningful information without sacrificing sensitive data.
  • Exposure to new supply chain attacks – Real-time and actionable threat intelligence sharing raises questions on the authenticity and integrity of incoming data feeds creating a new weakness point at the core of the enterprise security systems.
  • Before an organization can start collaborating on cyber security, its internal security function needs to work properly – this is not necessarily the case with a majority of organizations.
  • The brand can be put into some uncertainty as impact on a single participant in a group of collaborators can damage the public image of other participants.
  • The tools, expertise and know-how required for establishing a cyber collaboration are still nascent.
  • As with any emerging topic, there are too many standards and no agreed upon principles yet.
  • Collaboration in the world of cyber security has always raised privacy concerns within consumer and citizen groups.

 

Though there is a mix of misconceptions, social and technical challenges, the importance of the topic continues to gain recognition and I believe we are on the right path.

 

Technical Challenges in Threat Intelligence Sharing

Even the limited case of concrete threat intelligence sharing raises a multitude of technical challenges, and best practices to overcome them have not yet been determined:

  • How to achieve balance between sharing actionable intelligence pieces which must be rich in order to bee actionable vs. preventing exposure of sensitive information.
  • How to establish secure and reliable communications among collaborators with proper handling of authorization, authenticity and integrity to make sure the risk posed by collaboration is minimized.
  • How to verify the potential impact of actionable intelligence before it is applied to other organizations. For example, if one collaborator broadcasts that google.com is a malicious URL then how can the other participants automatically identify it is not something to act upon?
  • How do we make sure we don’t amplify the information overload problem by sharing false alerts to other organizations or some means to handle the load?
  • Once collaboration is established, how can IT measure the effectiveness of the efforts being invested vs. resource saving and added protection level? How do you calculate Collaboration ROI?
  • Many times investigating an incident requires good understanding of and access to other elements in the network of the attacked enterprise; collaborators naturally cannot have such access, which limits their ability to conduct a root cause investigation.

 

These are just a few of the current challenges – more will surface as we get further down the path to collaboration. There are several emerging technological areas which can help tackle some of the challenges: Privacy preserving approaches in the world of big data such as synthetic data generation; zero knowledge proofs (i.e. blockchain); tackling information overload with Moving Target Defense-based technologies that deliver only true alerts, such as Morphisec Endpoint Threat Prevention, and/or emerging solutions in the area of AI and security analytics; and distributed SIEM architectures.

 

Collaboration Grid

In a highly collaborative future, a grid of collaborators will emerge connecting every organization. Such a grid will work according to certain rules, taking into account that countries will be participants as well:

Countries – Countries can work as centralized aggregation points, aggregating intelligence from local enterprises and disseminating it to other countries which, in turn, will disseminate the received intelligence to their respective local enterprises. There should be some filtering on the type of intelligence being disseminated and classification so the propagation and prioritization will be effective.

Sector Driven – Each industry has its common threats and common malicious actors; it’s logical that there would be tighter collaboration among industry participants.

Consumers & SMEs – Consumers are the ones excluded from this discussion although they could contribute and gain from this process like anyone else. The same holds true for small to medium sized businesses, which cannot afford the enterprise grade collaboration tools currently being built.

Final Words

One of the biggest questions about cyber collaboration is when it will reach a tipping point. I speculate that it will occur when a disastrous cyber event takes place, or when startups emerge in a massive number in this area or when countries finally prioritize cyber collaboration and invest the required resources.

Congratulations! Morphisec raises $7M

Israeli startup Morphisec, which develops cyber security prevention and detection tools, has closed a $7 million Series A funding round led by Jerusalem Venture Partners (JVP), GE Ventures, Deutsche Telekom, Portage Advisors llc., and OurCrowd. The company has raised $8.5 million to date, including this financing round.

http://www.globes.co.il/en/article-israeli-cyber-security-startup-morphisec-raises-7m-1001071492

Is It GAME OVER?

Targeted attacks come in many forms, though there is one common tactic most of them share: Exploitation. To achieve their goal, they need to penetrate different systems on-the-go. The way this is done is by exploiting unpatched or unknown vulnerabilities. More common forms of exploitation happen via a malicious document which exploits vulnerabilities in Adobe Reader or a malicious URL which exploits the browser in order to set a foothold inside the end-point computer. Zero Day is the buzzword today in the security industry, and everyone uses it without necessarily understanding what it really means. It indeed hides a complex world of software architectures, vulnerabilities and exploits that only few thoroughly understand. Someone asked me to explain the topic, again, and when I really delved deep into the explanation I was able to comprehend something quite surprising. Please bear with me, this is going to be a long post 🙂

Overview

I will begin with some definitions of the different terms in the area: These are my own personal interpretations on them…they are not taken from Wikipedia.

Vulnerabilities

This term usually refers to problems in software products – bugs, bad programming style or logical problems in the implementation of software. Software is not perfect and maybe someone can argue that it can’t be such. Furthermore, the people whom build the software are even less perfect—so it is safe to assume such problems will always exist in software products. Vulnerabilities exist in operating systems, runtime environments such as Java and .Net or specific applications whether they are written in high level languages or native code. Vulnerabilities also exist in hardware products, but for the sake of this post I will focus on software as the topic is broad enough even with this focus. One of the main contributors to the existence and growth in the number of vulnerabilities is attributed to the ever-growing pace of complexity in software products—it just increases the odds for creating new bugs which are difficult to spot due to the complexity. Vulnerabilities always relate to a specific version of a software product which is basically a static snapshot of the code used to build the product at a specific point in time. Time plays a major role in the business of vulnerabilities, maybe the most important one.

Assuming vulnerabilities exist in all software products, we can categorize them into three groups based on the level of awareness to these vulnerabilities:

  • Unknown Vulnerability – A vulnerability which exists in a specific piece of software to which no one is aware. There is no proof that such exists but experience teaches us that it does and is just awaiting to be discovered.
  • Zero Day – A vulnerability which has been discovered by a certain group of people or a single person where the vendor of the software is not aware of it and so it is left open without a fix or awareness to it its presence.
  • Known Vulnerabilities – Vulnerabilities which have been brought to the awareness of the vendor and of customers either in private or as public knowledge. Such vulnerabilities are usually identified by a CVE number – where during the first period following discovery the vendor works on a fix, or a patch, which will become available to customers. Until customers update the software with the fix, the vulnerability is kept open for attacks. So in this category, each respective installation of the software can have patched or un-patched known vulnerabilities. In a way, the patch always comes with a new software version, so a specific product version always contains un-patched vulnerabilities or not – there is no such thing as a patched vulnerability – there are only new versions with fixes.

There are other ways to categorize vulnerabilities: based on the exploitation technique such as buffer overflow or heap spraying, the type of bug which lead to the vulnerability, or such as a logical flaw in design or wrong implementation which leads to the problem.

Exploits

A piece of code which abuses a specific vulnerability in order to cause something unexpected to occur as initiated by the attacked software. This means either gaining control of the execution path inside the running software so the exploit can run its own code or just achieving a side effect such as crashing the software or causing it to do something which is unintended by its original design. Exploits are usually highly associated with malicious intentions although from a technical point of view it is just a mechanism to interact with a specific piece of software via an open vulnerability – I once heard someone refer to it as an “undocumented API” :).

This picture from Infosec Institute describes a vulnerability/exploits life cycle in an illustrative manner:

042115_1024_ZeroDayExpl1

The time span, colored in red, presents the time where a found vulnerability is considered a Zero Day and the time colored in green turns the state of the vulnerability to un-patched. The post disclosure risk is always dramatically higher as the vulnerability becomes public knowledge. Also, the bad guys can and do exploit in higher frequency than in the earlier stage. Closing the gap on the patching period is the only step which can be taken toward reducing this risk.

The Math Behind a Targeted Attacks

Most targeted attacks today use the exploitation of vulnerabilities to achieve three goals:

  • Penetrate an employee end-point computer by different techniques such as malicious documents sent by email or malicious URLs. Those malicious documents/URLs contain malicious code which seeks specific vulnerabilities in the host programs such as the browser or the document reader. And, during a rather naïve reading experience, the malicious code is able to sneak into the host program as a penetration point.
  • Gain higher privilege once a malicious code already resides on a computer. Many times the attacks which were able to sneak into the host application don’t have enough privilege to continue their attack into the organization and that malicious code exploits vulnerabilities in the runtime environment of the application which can be the operating system or the JVM for example, vulnerabilities which can help the malicious code gain elevated privileges.
  • Lateral movement – once the attack enters the organization and wants to reach other areas in the network to achieve its goals, many times it exploits vulnerabilities in other systems which reside on its path.

So, from the point of view of the attack itself, we can definitely identify three main stages:

  • Attack at Transit Pre Breach – This state means an attack is moving around on its way to the target and in the target prior to exploitation of the vulnerability.
  • Attack at Penetration – This state means an attack is exploiting a vulnerability successfully to get inside.
  • Attack at Transit Post Breach –  This state means an attack has started running inside its target and within the organization.

The following diagram quantifies the complexity inherent in each attack stage both from the attacker and defender sides and below the diagram there are descriptions for each area and the concluding part:

Ability to Detect an Attack at Transit Pre Breach

Those are the red areas in the diagram. Here an attack is on its way prior to exploitation, on its way referring to the enterprise that can scan the binary artifacts of the attack, either in the form of network packets, a visited website or specific document which is traveling via email servers or arriving to the target computer for example. This approach is called static scanning. The enterprise can also emulate the expected behavior with the artifact (opening a document in a sandboxed environment) in a controlled environment and try to identify patterns in the behavior of the sandbox environment which resemble a known attack pattern – this is called behavioral scanning.

Attacks pose three challenges towards security systems at this stage:

  • Infinite Signature Mutations – Static scanners are looking for specific binary patterns in a file which should match to a malicious code sample in their database. Attackers are already much out smarted these tools where they have automation tools for changing those signatures in a random manner with the ability to create infinite number of static mutations. So a single attack can have an infinite amount of forms in its packaging.
  • Infinite Behavioural Mutations – The evolution in the security industry from static scanners was towards behavioral scanners where the “signature” of a behavior eliminates the problems induced by static mutations and the sample base of behaviors is dramatically lower in size. A single behavior can be decorated with many static mutations and behavioral scanners reduce this noise. The challenges posed by the attackers make behavioral mutations of infinite nature as well and they are of two-fold:
    • Infinite number of mutations in behaviour – In the same way attackers outsmart the static scanners by creating infinite amount of static decorations on the attack, here as well, the attackers can create either dummy steps or reshuffle the attack steps which eventually produce the same result but from a behavioral pattern point of view it presents a different behavior. The spectrum of behavioral mutations seemed at first narrower then static mutations but with advancement of attack generators even that has been achieved.
    • Sandbox evasion – Attacks which are scanned for bad behavior in a sandboxed environment have developed advanced capabilities to detect whether they are running in an artificial environment and if they detect so then they pretend to be benign which implies no exploitation. This is currently an ongoing race between behavioral scanners and attackers and attackers seem to have the upper hand in the game.
  • Infinite Obfuscation – This technique has been adopted by attackers in a way that connects to the infinite static mutations factor but requires specific attention. Attackers in order to deceive the static scanners have created a technique which hides the malicious code itself by running some transformation on it such as encryption and having a small piece of code which is responsible for decrypting it on target prior to exploitations. Again, the range of options for obfuscating code are infinite which makes the static scanners’ work more difficult.

This makes the challenge of capturing an attack prior to penetration very difficult to impossible where it definitely increases with time. I am not by any means implying such security measures don’t serve an important role where today they are the main safeguards from turning the enterprise into a zoo. I am just saying it is a very difficult problem to solve and that there are other areas in terms of ROI (if such security as ROI exists) which a CISO better invest in.

Ability to Stop an Attack at Transit Post Breach

Those are the black areas in the diagram. An attack which has already gained access into the network can take infinite number of possible attack paths to achieve its goals. Once an attack is inside the network then the relevant security products try to identify it. Such technologies  surround big data/analytics which try to identify activities in the network which imply malicious activity or again network monitors which listen to the traffic and try to identify artifacts or static behavioral patterns of an attack. Those tools rely on different informational signals which serve as attack signals.

Attacks pose multiple challenges towards security products at this stage:

  • Infinite Signature Mutations, Infinite Behavioural Mutations, Infinite Obfuscation – these are the same challenges as described before since the attack within the network can have the same characteristics as the ones before entering the network.
  • Limited Visibility on Lateral Movement – Once an attack is inside then usually its next steps are to get a stronghold in different areas in the network and such movement is hardly visible as it is eventually about legitimate actions – once an attacker gets a higher privilege it conducts actions which are considered legitimate but of high privilege and it is very difficult for a machine to deduce the good vs. the bad ones. Add on top of that, the fact that persistent attacks usually use technologies which enable them to remain stealthy and invisible.
  • Infinite Attack Paths – The path an attack can take inside the network’ especially taking into consideration a targeted attack is something which is unknown to the enterprise and its goals, has infinite options for it.

This makes the ability to deduce that there is an attack, its boundaries and goals from specific signals coming from different sensors in the network very limited. Sensors deployed on the network never provide true visibility into what’s really happening in the network so the picture is always partial. Add to that deception techniques about the path of attack and you stumble into a very difficult problem. Again, I am not arguing that all security analytics products which focus on post breach are not important, on the contrary, they are very important. Just saying it is just the beginning in a very long path towards real effectiveness in that area. Machine learning is already playing a serious role and AI will definitely be an ingredient in a future solution.

Ability to Stop an Attack at Penetration Pre Breach and on Lateral Movement

Those are the dark blue areas in the diagram. Here the challenge is reversed towards the attacker where there are only limited amount of entry points into the system. Entry points a.k.a vulnerabilities. Those are:

  • Unpatched Vulnerabilities – These are open “windows” which have not been covered yet. The main challenge here for the IT industry is about automation, dynamic updating capabilities and prioritization. It is definitely an open gap which can be narrowed down potentially to become insignificant.
  • Zero Days – This is an unsolved problem. There are many approaches towards that such as ASLR and DEP on Windows but still there is no bulletproof solution for it. In the startups scene I am aware that quite a few are working very hard on a solution. Attackers identified this soft belly long time ago and it is the main weapon of choice for targeted attacks which can potentially yield serious gains for the attacker.

This area presents a definite problem but in a way it seems as the most probable one to be solved earlier than the other areas. Mainly because the attacker in this stage is at its greatest disadvantage – right before it gets into the network it can have infinite options to disguise itself and after it gets into the network the action paths which can be taken by it are infinite. Here the attacker need to go through a specific window and there aren’t too many of those out there left unprotected.

Players in the Area of Penetration Prevention

There are multiple companies/startups which are brave enough to tackle the toughest challenge in the targeted attacks game – preventing infiltration – I call it, facing the enemy at the gate. In this ad-hoc list I have included only technologies which aim to block attacks at real-time – there are many other startups which approach static or behavioral scanning in a unique and disruptive way such as Cylance and CyberReason or Bit9 + Carbon Black (list from @RickHolland) which were excluded for sake of brevity and focus.

Containment Solutions

Technologies which isolate the user applications with a virtualized environment. The philosophy behind it is that even if there was an exploitation in the application still it won’t propagate to the computer environment and the attack will be contained. From an engineering point of view I think these guys have the most challenging task as the balance between isolation and usability has inverse correlation in productivity and it all involves virtualization on an end-point which is a difficult task on its own. Leading players are Bromium and Invincea, well established startups with very good traction in the market.

Exploitation Detection & Prevention

Technologies which aim to detect and prevent the actual act of exploitation. Starting from companies like Cyvera (now Palo Alto Networks Traps product line) which aim to identify patterns of exploitations, technologies such as ASLR/DEP and EMET which aim at breaking the assumptions of exploits by modifying the inner structures of programs and setting traps at “hot” places which are susceptible to attacks, up to startups like Morphisec which employs a unique moving target concept to deceive and capture the attacks at real-time. Another long time player and maybe the most veteran in the anti exploitation field is MalwareBytes. They have a comprehensive offering for anti exploitation with capabilities ranging from in-memory deception and trapping techniques up to real time sandboxing.

At the moment the endpoint market is still controlled by marketing money poured by the major players where their solutions are growing ineffective in an accelerating pace. I believe it is a transition period and you can already hear voices saying endpoint market needs a shakeup. In the future the anchor of endpoint protection will be about real time attack prevention and static and behavioral scanning extensions will play a minor feature completion role. So pay careful attention to the technologies mentioned above as one of them (or maybe a combination:) will bring the “force” back into balance:)

 

Advise for the CISO

Invest in closing the gap posed by vulnerabilities. Starting from patch automation, prioritized vulnerabilities scanning up to security code analysis for in-house applications—it is all worth it. Furthermore, seek out for solutions which deal directly with the problem of zero days, there are several startups in this area, and their contributions can have much higher magnitude than any other security investment in post or pre breach phases.

 

Exploit in the Wild, Caught Red-Handed

Imagine a futuristic security technology that can stop any exploit at the exact moment of exploitation—regardless of the way the exploit was built, its evasion techniques or any mutation it might have or was possibly imagined to have. This technology is truly agnostic for any form of attack. An attack prevented with its attacker captured and caught red-handed at the exact point in time of the exploit…Sounds dreamy, no? For the guys at the stealth startup Morphisec it’s a daily reality. So, I decided to convince the team in the malware analysis lab to share some of their findings from today, and I have to brag about it a bit:)

 

Exploit Analysis

The target software is Adobe Flash and the vulnerability is CVE-2015-0359 (Flash up to 17.0.0.134). Today, the team got a fresh sample which was uploaded to Virus Total 21 Hours ago! From the moment we received it from Virus Total, the scan results showed that no security tool in the market detects it except for McAfee GW Edition—which generally identified its malicious activity.
Screen Shot 2015-04-28 at 5.56.23 PM

 

The guys at Morphisec love samples like these because they allows them to test their product against what is considered to be a zero-day—or at least an unknown attack. Within an hour, the identification of the CVE/vulnerability exploited by the attack and the method of exploitation were already clear.

 

Technical Analysis

Morphisec prevents the attack when it starts to look for the Flash Module address (which later would be used to find gadgets). The vulnerability allows the attacker to modify the size of a single array (out of many sequentially allocated arrays – size 0x3fe).

An array’s size 0x3fe (index [401]) is modified to size 0x40000001 to reflect the entire memory’s size. The first double word in this array points to a read-only section inside the Flash Module. Attacker uses this address as a start address for iteration dedicated for an MZ search (indicates the start of the library), each search iteration (MZ) is 64k long (after the read only pointer that was leaked is aligned to a 64k boundary).

After the attacker finds the MZ, it validates the signatures (NT) of the model, gets the code base pointer and size, and from that point, the attack searches gadgets in the code of the Flash module.

Screen Shot 2015-04-29 at 9.16.19 AM

Screen Shot 2015-04-29 at 9.03.31 AM

Screen Shot 2015-04-29 at 9.04.13 AM

 

Screen Shot 2015-04-29 at 9.07.39 AM

Morphisec’s technology not only stopped it on the first step of exploitation, it also identified the targeted vulnerability and the method of exploitation as part of its amazing real-time forensic capability. All of this was done instantly in memory on the binary level without any decompilation!

I imagine that pretty soon the other security products will add the signature of this sample to their database so it can properly be detected. Nevertheless, the situation remains that each new mutation of the same attack makes the common security arsenal “blind” to it—which is not very efficient. Gladly, Morphisec is changing this reality! I know that when a startup is still in stealth mode and there is no public information about such comparisons… it’s a bit “unfair” to the other technologies on the market, but still… I just had to mention it:)

 

P.S. Pretty soon we will start sharing more details about Morphisec technology—so stay tuned. Follow us via Twitter  @morphisec for more updates.