Understanding Today's Threat Environment

"Zero day", "APT","Unknown applications"
Zero Day Threats

For thirty years, most of us have relied on signature based antivirus products for protection that use their signature file (blacklist) to identify and respond to threats. Unfortunately, that means "legacy antivirus" must first detect the threat before it can be addressed.

If the threat is not detected, then infection occurs. We can safely say that there will always be some undetectable threats because malware authors are an intelligent bunch who test their products against all of the major antivirus systems before they release them. There will always be a gap between the time these threats are released and the time vendors have identified them and updated their signature file.

With an estimated 50,000 new malware released each day, how can a blacklist system be always up to date? It can't. We call these undetected threats "zero day malware".

Legacy antivirus cannot deal effectively with zero day malware. If it could, you probably would not be reading this. They are based on a reactive model that can't keep up with the speed in which malware can spread today.

Today's threat environment demands a proactive model of protection

Advance Persistent Threats

Criminal hackers are increasingly using the targeted techniques originally developed by national intelligence services called Advance Persistent Threats (APT). This approach identifies specific people in specific organizations and tailors the attack to best trick them into infecting their network. Legacy antivirus cannot customize their system to such a threat any more than a pharmaceutical company spend billions on a pill to cure just one person. Some APT attacks will inevitably succeed in placing malware on the target's system.

The Good, the Bad, the Unknown 3 states of an executable file
  • Question: How many strangers, people you don't know of, live in your home?
  • Answer: None, of course. If you saw an unknown person in your house you would ask them to leave and if they did not you would call the cops.
  • Question: How many unknown applications live in your network?
  • Answer: You don't know, of course. But your legacy antivirus software does allow unknown files to be saved on your network's computers.

If you don't allow unknown persons in your house, why are you allowing unknown files on your network? Mmmmm?

You cannot afford to allow unknown executables to live in your network with unfettered access. It is just not healthy! To deal with unknown files, you have to diagnose it as such. A file can have one of three states.

  • Known good: The file is known to be valid and not a risk,
  • Known bad: The file is a known threat and must be dealt with accordingly.
  • Unknown: The file is not on our lists of good or bad. It may be safe or it could be malicious. We just do not know.

So why don't we simply stop Unknown applications from executing? Solve the problem right? Yes it does, but then it creates a usability problem! Are you going to explain to your management why they can't run this app or the other app they keep downloading? I'd rather not!

Ok here is another idea: Why don't we stop these unknown files, send them to a "sandbox" and check to see if it is malicious. If not, allow it Great! Unfortunately, you are still relying on "detection". Have you heard of a "time bomb"?

Here is how a malware time bomb works: I am a malware and I will sit pretty and do nothing malicious for 2 months. Then, on schedule I will unleash my evil! Moo wah ha ha!

So how will you "detect "this in a sandbox? Wait for 2 months? Don't forget, your management is also waiting on their download!! Waiting for 2 minutes is not acceptable for your CEO, never mind 2 months!!

Now that you had 2 guesses, let me tell you how we solve it: RTATC!

Run-Time Automatic Threat Containment

First you need a containment technology. Something that you can use to run something you don't trust "unknown file" in without causing damage, if it turns out to be a bad file. First, Comodo built the world's only Containment technology that has been battle tested by over 80 Million users! Second, the question is then when to use it. If you can identify a good file, then you don't need to contain it, because it's a good file. If you can identify a bad file, then you don't contain it. Bad files need to be "quarantined" or deleted. It is the unknown files that must be contained. Comodo security includes a patented solution for containing unknown files in run time, automatically. RTACT is intelligent enough to weed out good and bad and contain only the unknown, hence creating a very efficient "Containment" technology. Of course, you can configure to run everything in our containment, but there simply is no need for that as it does not improve your secure posture. Comodo is the only company who classifies an executable file into 3 states, good, bad and unknown. Hence, Comodo can provide containment security technology with unprecedented efficiency and effectiveness. Only Comodo is able to zero in and deal with what truly matters in protection, the unknown files. Unknown files must only be executed within a container. Comodo's container solution offers zero friction for end user usability. This means the user who is executing the application continues to use the application without even realizing that this application is running in a container. Fast, efficient and zero user experience change!

What is Containment?

Containment is "the action of keeping something harmful under control or within limits". A sandbox is a containment technology implemented by executing the software in a restricted operating system environment, thus controlling the resources. For example, the file descriptors, memory, file system space, etc. that a process may use. Examples of sandbox implementations include the following, from Wikipedia:

  • A jail: Provided network-access restrictions, and a restricted file system namespace. Jails are most commonly used in virtual hosting.
  • Rule-based execution gives users full control over what processes are started, spawned (by other applications), or allowed to inject code into other applications and have access to the net, by having the system assign access levels for users or programs according to a set of determined rules. It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer
  • Virtual machines emulate a complete host computer, on which a conventional operating system may boot and run as on actual hardware. The guest operating system runs sandboxed in the sense that it does not function natively on the host and can only access host resources through the emulator.
  • Sandboxing on native hosts: Security researchers rely heavily on sandboxing technologies to analyze malware behavior. By creating an environment that mimics or replicates the targeted desktops, researchers can evaluate how malware infects and compromises a target host. Numerous malware analysis services are based on the sandboxing technology.
  • Capability systems can be thought of as a fine-grained sandboxing mechanism, in which programs are given opaque tokens when spawned and have the ability to do specific things based on what tokens they hold. Capability-based implementations can work at various levels, from kernel to user-space. An example of capability-based user-level sandboxing involves HTML rendering in a Web browser.
  • Online judge systems test programs in programming contests.
  • New-generation paste bins allow users to execute pasted code snippets.
  • Secure Computing Mode (seccomp) is a sandbox built in the Linux kernel. When activated, seccomp only allows the write(), read(), exit() and sigreturn() system calls.
  • HTML5 has a "sandbox" attribute for use with iframes.

The key with containment/sandboxing is the ability to allow the user to execute the application he/she wishes to, allow the user continued use of the application while still sandboxing/containing the application.

Denying the user use and execution of the application is not desirable. Run-Time Automatic Containment is the solution.

Containment technology must also defend itself against malware "jumping out" of the containment solution. A containment technology that cannot protect itself cannot contain the malware. Comodo is the most trusted containment technology.

Comodo Internet Security has ranked #1 for over three years in the ongoing Matousec Proactive Security Challenge 64. The challenge is a competition among 36 suites of internet security. Matousec's tests include the system's ability to protect itself. What good would a body guard be if he cannot protect himself?

Comodo is one of only 4 of the competitors that have earned Matousec recommendation and the only available for free.