Beep. Boop. Eliminated.

Harnessing AI and Machine Learning for Enhanced Malware Defenses

In the early 2000s, I was like any other kid endlessly scouring Myspace for new music on my friend’s pages. When I found a new song on someone’s page, I would listen to it a few times, and then when I knew it was a certified banger I would open up Limewire and download the best quality track I could find so I could put it on my Zune and listen to it non stop on the bus to school. However, more often than not, that sick new Good Charlotte, Linkin Park, or Green Day track was in reality, just a juicy piece of malware waiting to be downloaded. As a kid, I had no understanding of the dangers of peer-to-peer networks, I just knew that I wanted to listen to the same songs that my childhood crush was listening to, and because of that, at least once a month we would have to restore the computer from backups or even worse reinstall Windows XP on the family computer that my parents used for taxes and home business records. Needless to say, I was grounded from the computer often.

Now, flash forward 20 some years and the word malware gets thrown around so much these days that it is used to describe so many different computer ailments and has become almost a unanimous term for any computer or internet-related issue that someone might experience. On top of this generalization, cybersecurity marketing teams began using the word malware anywhere and everywhere they could to enhance their scare tactic campaign, so more people would buy their security products, whether they needed them or not. The combination of these generalizations has muddied the water on what the word malware means to the general public. With this in mind, in this article we will be talking about malware in the context of any file or code, typically delivered over a network, that infects, explores, steals, or conducts virtually any behavior an attacker wants. 

In the year 2022, malware still represents a massive problem as well as something that can be incredibly disruptive and targeted specifically for maximum and precise impact. Over the years various antivirus software has been developed and improved upon which has created a standard baseline for protection against malware. However, most of this baseline antivirus software uses a list of pre-defined signatures to detect and quarantine malware. While this generally does a decent job of finding unwanting programs or standard malicious files, if a piece of malware has a different signature than what the antivirus is looking for, the malware can remain hidden on the system until a matching signature is added to the software. As threats became more complicated and harder to detect, it was clear that the typical antivirus software needed to evolve to combat the more advanced malware. 

The next evolution of antivirus software is known as EDR or Endpoint Detection and Response. EDR uses the typical signature-based antivirus and adds behavior analytics to its threat-hunting arsenal. With the addition of behavior analytics, EDR can look at the behavior of a program, service, or anything else it detects and compare that to baseline known behavior as well as environment-specific behavior and use artificial intelligence and machine learning as well as user-defined allow lists and blacklists to determine whether or not something is a threat or at the very least unexpected or abnormal behavior.

Along with enhanced detection, EDR also has a better suite of tools that is baked into the software that allows for quick and immediate response to any detected threat. The traditional quarantine action found on most antivirus software is supplemented with a kill, remediate, and rollback option. These options allow for processes to be killed and systems to be restored to pre-infected states all with a click of a button or in some cases automatically once detected. In some of the better EDR products, more detailed threat analysis is provided along with tools and information necessary for manual threat investigations and analysis. This information allows for the investigator to put context around the threat to understand the who, what, when, where, why, and how a threat got into the environment, propagated through a network, avoided initial detection, or any other potential scenario. Moreover, if a manual investigation found the threat to be a false positive or a known and accepted risk, the SOC operator can add that file path or specific hash value to an allow list to customize the EDR to the environment.

EDRs require an agent to be installed on a device which means that they can be deployed to anything that you can install it on, such as windows, mac, and Linux devices. Once the agent is deployed, EDRs can be more centrally managed than typical antivirus software. From a single console, SOC operators can see all installed agents, any incidents generated from those agents, additional software installed, missing patches on additional software, and much more. An agent’s health can also be more closely monitored and new versions of the software can be pushed remotely from the console allowing for seamless agent upgrades with the click of a button. New signatures and behavioral analytics are obtained by the agent directly from the cloud so whether or not the agent is up to date, the agent will always have the latest signatures and behavioral analytics.

The Forward Edge Cybersecurity Solution utilizes Sentinel One EDR to detect, quarantine, kill, remediate or roll back any malware that may be already present on the system as well as stop any new malware from infecting the system. This EDR is monitored by both the Forward Edge SOC Team and our solution partner SOC Team with 24/7 monitoring so our customers can be fully protected even outside of the school day.

There are also plenty of other malware defenses beyond just deploying an antivirus or EDR solution. Configuration management is another tool in our toolbelt that we can use to defend our environments against malware. By properly defining policies and configurations for devices and user accounts in our environment we can create a more secure default security posture. 

One of the best default configurations to implement is disabling autorun and autoplay for removable media. Disabling autorun and autoplay for removable media is a security control that is often overlooked but critically important for maintaining device security. Autorun and autoplay are convenience features in the Windows operating system that are designed to play movies, music, and more automatically when removable media, CDs, and USBs, are connected to a device. While not intentionally designed to be a security risk, malware creators were able to use this built-in feature to run malware automatically without user interaction as well as create an attack vector of dropping random malicious USBs in hopes that a user picks up one and plugs in the USB to their device which would automatically run the malicious program or code. The quickest and easiest way to disable this feature is to create a group policy in your active directory environment that disables both autorun and autoplay. This policy can be implemented on your device’s root folder to be applied to all devices that are domain-joined to your network. The policy can be found in the GPO editor under Computer Configuration > Administrative Templates > Windows Components > Autoplay Policies.

While malware does not seem to be going away anytime soon, with advancing technologies and tools, we can more effectively stop and prevent malware in our environments. Already, we can see the next big innovation in malware defenses on the horizon, XDR (Extended Detection and Response), which extends the reach and visibility of current EDR and SIEM (Security Information and Event Management) solutions. With continued improvements in these new technologies, hopefully, we will be able to make malware obsolete.