Cybersecurity: Why adopting Gorille® in your EDR?
The aim of this blog post is to present the result of our work and our innovative technology tested within the European consortium Concordia and explain how our Gorille® morphological analysis solution can detect, identify and analyze any malware.
When it comes to cybersecurity, using an EDR has become a necessity. In fact, it is a full-fledged cyber defense component to protect its workstations.
According to the military approach, building or using a cyber defense capability means mobilizing capabilities known under the NATO acronym “DOTMLPFI”:
The main added value of these capabilities is that they are based on anticipation.
Indeed, these cyber defense capabilities are based on:
- Open or classified sources,
- Historical information,
- Contextualization (J6*),
- Analysis management,
- Partial or systematic remediation scripts,
- Expertise and participation in the definition of operations (J5/hot plan*) and their implementation (J3*).
The current focus is naturally on automated software solutions (Materiel for the NATO acronym), such as probes, analysis, orchestration, etc., drastically saving time and human resources, when possible.
These solutions are supposed to be scalable and thus compensate for the long and manual processes of reverse engineering. However, time is often of the essence in the event of an attack or alleged attack without the nature of the attack being known.
Therefore, market solutions have been developed to help analysts, whether they are internal or external (MSSP SOC, SAAS, crisis management, subrogation, delegation, etc.).
These solutions are illustrated in the Gartner Group diagram called “TRIAD”. We have enriched it slightly to include other organizations that cannot be automated but are essential to the cyber defense process:
Gartner Group TRIAD
The role and interest of an EDR
TRIAD distinguishes between tools grouped under the acronym “EDR*” whose installed and configured agents are able to isolate a file and present it to other analysis tools. Among the latter we have EPP (EndPoint Protection or classic signature-based AV), behavioral analysis tools based essentially on artificial intelligence (AI).
These tools must deal with both known viruses (signature database) and unknown ones, descended from sophisticated malware, in variant form. By passing under the radar of these detection tools, these threats settle on the IS, remain dormant and are activated according to the triggers of the attackers.
The response to these attacks can be broken down into 3 steps: detection, malware characterization, and attack characterization.
By abuse of language, detection takes precedence over the rest of the analysis chain. Detecting is indeed a necessity that must be combined with characterizing the malware: knowing its nature, its action, its technical objective (wiper, ransomware, data-leaks, espionage, etc.), but it is insufficient. It is also necessary to characterize the threat in order to guarantee optimal protection.
Malware analysis tools must deal with 4 protection techniques implemented by attackers: obfuscation, self-modifying encryption and anti-debug measures.
This segment of the incident handling is crucial. It is at the heart of the ITC*’s responsibilities to support analysts in the event of an attack. However, detection and characterization are time consuming, costly and reduce efficiency.
It relies heavily on well-conducted malware characterization, which facilitates thorough research and gives optimal incident response at low cost.
Searching for IOCs, correlations or effects from detection is risky and delays knowledge and incident response capabilities.
Gorille® as an EDR extension
Beyond the technical aspect, it is necessary to conduct a debriefing about the attack(s), the infrastructure, the residual risks and to anticipate the other aspects of the incident (legal aspect, contractual responsibilities, etc.). This consists in exposing a situation and its probable evolution, it is situational awareness.
The market of cyber defense solutions is emerging, it draws its legitimacy both from each internal engine but also from the interoperability of several solutions forming a platform. It is essential to go beyond traditional antivirus solutions and AI-based probes and turn to an innovative solution: morphological analysis.
By characterizing a threat by its behavior and not only from a malware database, morphological analysis offers a unique accuracy on the identification of viruses and their variants. This analysis does not require a learning phase and can be materialized in the form of control flow graphs to precisely visualize the malicious strains of an executable file. This technology is embedded in the Gorille® engine and tested in the framework of the European consortium : Concordia.
Using morphological analysis, Gorille® Cloud can provide complete and instantaneous characterization to inform analysts about the attack. It also integrates within an xDR* platform and targets endpoints, servers, but also incoming files and the supply chain.
Adopting Gorille® within an EDR platform guarantees a relevant and fast analysis, and in 99% of cases, an automatic treatment of the incident. This avoids a too constrained tuning, taking the risk of blocking user stations or production servers without justifying the nature of the attack and its repercussions.
Pairing Gorille® with an EDR means reducing your risks and minimizing your exposure to future claims. It also means keeping the possibility of negotiating its guarantee premiums by displaying good practices with a breakthrough tool.
The use of Gorille® acts on the four risk mechanisms that are:
- the probability of attack occurrence, deployment on the network and endpoints,
- the threat already described above that would go under the radar,
- the vulnerability of cyber defenses,
- the effects in terms of loss of operations, penalties, civil liability, etc.
Our participation in the Concordia consortium is a real opportunity to constantly test new innovations and to benefit from the expertise of its members.
DOTMLPFI* : Doctrine, organization, training, materials, leadership and education, personnel, facilities, and interoperability: The term refers to several distinct actions (https://www.nato.int/cps/fr/natohq/official_texts_156374.htm?selectedLocale=fr)
J3*: Operation (definition of actions, their sequences, their conduct). Defined as a long term (cold plan) or short term (hot plan) requirement. See J5.
J6*: Information from all sources.
J5*: Short and long term planning of capacity acquisition.
CTI*: Cyberthreat Intelligence or Anticipation. Sources and means of analysis of attacks, whatever their timing (tactical, operative or strategic).
xDR*: Regroups the so-called (E)ndpoint (D)etection and (R)esponse solutions in the form of agents installed on the terminal, as well as (A)DR for Application Detection and Response, the best known of which are those that process horizontal or vertical/business mails (Application). These agents scan the actions of the executable binary on the computer and isolate a suspicious file.
Risks : 4 properties: threats (malware), vulnerability, probability, effects and time axis.
Status report*: It is a matter of reporting at several communication frequencies giving an idea of the attacks, their evolutions, the state of the production and support systems (IS), the anticipation and the palliative operational solutions.
(By Alice MINETTO, Cyber-Detect)