The invention, in some embodiments, relates to the field of computer threats, and more specifically to methods and systems for identifying the presence of advanced persistent threats in a network and for trapping the threats.
Advanced persistent threats, such as computer viruses, computer worms, Trojan horses, and other malware, particularly when infecting endpoints in an organization's network, are some of the most crucial security problems for many organizations. Current security mechanisms are generally unable to cope with, and to prevent, infectious attacks, and as a result attackers, such as hackers, crackers, and cyber-terrorists, are able to insert malware into the networks of such organizations. Once malware is present on an organization's network, the malware communicates with its controllers, such as hackers, crackers and cyber-terrorists, via command and control (C&C) mechanisms, which direct the malware as to what data to obtain, where to find such data, and where to send the data once it is obtained.
One method currently used for identifying the presence of malware on a network involves signature matching or pattern matching of malware families. For this method to properly identify the presence of malware, the malware must first be caught and analyzed to derive one or more relevant signatures, which signatures are then used to prevent a malware infection by such malware in other computers in the network or in other networks. However, malware signatures are changed, added and mutated constantly, and signature analysis tools typically cannot keep up with the changing malware signatures, and therefore this method is far from failsafe.
In other methods, machine learning, behavioral analysis, and classification algorithms are used to find packets within the network traffic which include communication between malware within the network and the command and control mechanism controlling the malware, or other suspicious activities in the network. However, this method requires collecting all the traffic to and from the organization, collecting data from assets inside the organization and the computational analysis methods used to implement this technique often trigger false positives and/or suffer from false negatives.
Yet another method, known as “sandboxing”, involves running suspicious code in a secluded emulation environment, also called a sandbox, in order to identify the purpose of the code without the code being able to access the real resources of the organization. For example, a sandbox may be implemented by installing a proxy at the gateway to a network, and executing all HTTP pages within the proxy prior to forwarding them to the requesting node or computer within the network. However, sandboxing often greatly slows down the flow of traffic in the network, due to the need to check every incoming piece of suspicious code. Additionally, malware developers have found multiple different methods for circumventing or bypassing sandboxing technologies, thereby reducing the effectiveness of this technology.
One specific type of an attack, known as ransomware, operates by denying the legal user access to his resources, for example by encrypting those resources, and demanding ransom in order to enable such access.
Various approaches have been proposed for dealing with ransomware, such as white listing executable applications prior to running them on an endpoint, having an off-line backup of files so that they can be retrieved and as such the ransomware has no impact, and assessing the behavior of applications running on an endpoint to determine whether one of them is potentially ransomware and terminating that application. However, these methods are not perfect because they make assumptions about the application which may be incorrect, because there are methods for the ransomware to evade these solutions, and/or because the solution introduces another agent on the endpoint. There is thus a need for a technology which identifies the presence of attacking malware within the network following infection of the network, and which is able to trap the malware within the network so as to prevent excessive damage to network resources. There is a specific need for a technology which limits, or preferably prevents, damage to data of the organization by identifying, occupying, trapping, and/or terminating ransomware with minimal slowing down of network activity, if any.