Malware guide: more on detection

How does malware detection work (part 2)?

We previously looked at signature analysis, behaviour-based analysis, intrusion detection systems and memory analysis.

Here is the second set of approaches for you to think about.

5.     Sheep dipping

Sheep dipping is a process intended to stop malware entering your system. Just like dipping sheep in parasite-removal chemicals before allowing them to join the flock. It means testing new files or devices for malware, before allowing them to join the company network. This involves opening a file in a controlled environment such as; a virtual machine and analysing its activity, to decide if it can be passed on to the user.

For example, removable storage devices such as USBs are high-risk, as it’s an easy way for infection to be added to a system. By ‘sheep-dipping’ (or scanning) all USBs before they can be used, malware can be detected before the USB is plugged into a company’s network of computers. This is often done with a standalone computer or other device.

6.     Sandboxing

Sandboxing is testing code that is potentially malicious in an isolated environment that mimics the live environment, known as a sandbox. In theory, the tester will be able to see how the code behaves, but in a safe environment, so that it can’t damage the system or network outside the sandbox. If it demonstrates malicious behaviour, the anti-malware software will remove it from the system; if it appears to be benign, it will be released from the sandbox.

However, in practice some malware can determine whether or not it is in a sandbox, and will work in a different way than it would in the real environment. It masquerades as legitimate software until it is released from the sandbox.

7.     Endpoint detection and response (EDR)

Endpoint security involves securing user devices (phones, tablets, laptops, computers) to keep the network secure. This usually means doing more than simply installing standalone anti-malware on each device. EDR involves installing security ‘agents’ that run in the background on the endpoints. These agents are monitored and controlled by a central management system.  

Malware detection on the endpoints increasingly requires layered defences, combining all of the above approaches, signatures, behaviour and sandboxing, together with machine learning.

8.     Machine learning

Machine learning focuses on the development and use of computer programs that can learn from experience without being explicitly programmed. They can take data and use it to learn for themselves, using algorithms and statistical models to conduct analysis and make decisions based on patterns in the data. This is becoming invaluable in malware detection.

The program must be provided with a large dataset from which to learn, but once it has analysed the initial dataset, it is able to create a model (the principles underlying the data) and can predict the properties of new data samples. In this case, the program should be able to determine whether new data presented to it is an indicator of malware.

Clearly the selection of the dataset from which the program has learned the principles, is crucial to reduce the risk of incorrect decisions. Also, of course, software (both benign and malware) is continuing to develop, so training datasets must be continually updated, and the machine learning program retrained regularly.

In the same way that traditional signature-based detection programs must be updated regularly, so too would machine-learning-based programs.

9.     Intelligence sharing

While not a way of protecting your systems immediately, information sharing is a vital part of anti-malware protection. We recognise that not everyone is a cyber security professional, and we don’t all have the time for reviewing threat intelligence sources, but keeping up with malware trends, at least at some level, will help you prepare your defences.

Share what you learn about current threats with your colleagues and other connections. For example, consider signing up with CiSP (Cyber Security Information Sharing Partnership), which is a threat sharing service run by NCSC. It provides early warning of cyber threats, the opportunity to learn from others, and access to free network monitoring reports tailored to your organisation’s requirements., and access to free network monitoring reports tailored to your organisation’s requirements.