Have you thought recently about how malware really works? We’ve seen a lot of crazy stuff coming out in the past few years with all kinds of amazing devious infection vectors. Side-channel attacks, cloud-based botnet scanners, and even cryptolockers are just some of the ways that we’ve seen machines get infected and then start being used to create other vectors for propagation.
But what about what happens when the malware actually goes to work? There are only so many ways that you can gain a foothold on a system to start doing the nefarious things you need to get done. It reminds me of the stories we hear about catching people that penetrate systems not because of their entrance but by the tell-tale signs they leave behind when they’re doing reconnaissance and trying to establish permanence. No matter how clever they are up front, they still look like a criminal on the back end.
Bright White Lists
During Black Hat 2019 I had the opportunity to sit down with Nyotron and talk about how they’re combating the issues with infection and compromise. Rene Kolga, Head of Product Management, shared with me the Nyotron approach. Instead of looking for attackers trying to make a sneaky entrance into a network, Nyotron instead looks at the behaviors that are commonly used to gain a foothold. Things like using abnormal file writes to evade traditional endpoint protection systems and establish permanence on a system.
Nyotron works differently that other endpoint protection systems because they don’t try to blacklist bad behaviors. Instead, they whitelist the good behaviors. In the above example, the Nyotron agent on the system has a whitelist of all the valid ways to write a file or create a directory. If an application is using one of these valid methods it would be allowed to create the file. But if the application is trying to use a different, non-supported method it gets intercepted and shut down.
This is a big switch from traditional endpoint protection systems. Think about all the ways that something like anti-virus has to work to find bad actors in the system. It has definitions of bad files for quick detection. It has heuristic scanners that often confused legitimate good behavior for bad, such as installing files in a system directory or creating a socket. And traditional AV programs have to scan and rescan the whole system over and over again looking for something that might have slipped through in the gap between scans.
The whitelisting behavior is very powerful because it means that not only can Nyotron catch the behavior as it happens, but it can do so very, very quickly because the definition files are small and efficient. If there are only so many ways to create a network socket, those methods are unlikely to change every week or even every month. When a new method is found or adopted it can be included in an agent update and passed along to the system quickly. This might only have to happen once or twice a year!
Four Corners of Protection
One great use I thought of for the Nyotron solution was in remote and air-gapped systems. How many times have we had problems keeping endpoint protection updated on remote devices or remote offices? Have you ever seen an issue when a system was installed and someone “forgot” to install AV on it and it became the point of compromise for your whole company?
Think about something like an HVAC system. These are managed by other companies but they live on your network. And they have to be secured. And updated. And we have to make sure no one does something silly like leaving RDP open to the entire world. That would never happen, right?
Imagine securing this system with Nyotron. Now, you can ensure that someone that tries to gain a foothold on the unit will be denied and you’ll find out because the system will send an alert when that occurs. You’ll know immediately which unit is under attack and that it was prevented before the damage could be done. You can spend more time securing your infrastructure after the alert instead of spending time fighting a losing battle trying to remove the software.
Bringing It All Together
Nyotron has some great technology with their whitelist approach. I like that their software is lightweight and doesn’t even need network connectivity to function. And I like that it focuses on preventing attacks before they happen instead of trying to clean them up after it’s too late. If you’re running a Windows-based organization and you’re ready to dump your traditional EDR platform, it’s worth taking a look at Nyotron.
For more information about Nyotron and their use cases, make sure you check out their site at http://Nyotron.com
