By Ian Pratt, co-founder and President of Bromium
Verizon’s 2017 Data Breach Investigations Report revealed that financial services organisations are the most common victims of cybercrime, with 24% of all data breaches occurring within this sector. Reducing the scale of this problem is far from easy, as much of the financial services industry continues to rely on detection-based security to defend against attacks. This approach means financial services firms are constantly one step behind hackers when it comes to cyber security, and the gap is only getting bigger. We have seen that the vast majority of malware hashes are seen for a matter of just seconds before the code changes, and most malware is only seen once – even with AI and automation, detection software simply can’t keep up. In fact, with so many malware variants available at the fingertips of cyber criminals, detecting every malicious program is not just impractical – it’s mathematically impossible.
While the security industry is struggling to find a way to detect every possible threat that the banks might come up against, Alan Turing’s famous proof of the halting problem demonstrated this can’t be done over 80 years ago. In 1936, Turing showed that no standard algorithm can predict an outcome for every possibility without sinking into a logical paradox. In other words, there is no program that can predict a yes/no outcome (or even won’t halt/will halt or safe/malicious) for every possibility, because the algorithm can easily be contradicted. Like casting out a net that tries to cover absolutely everything, it will get tangled in itself. On the other hand, if the net isn’t cast widely enough, there will always be something that is missed. As we’ve seen from the recent high-profile security breach at Tesco Bank that saw £2.5 million stolen from 9,000 customer accounts, the consequences of an attack slipping below the radar can be all too painful in the financial services industry.
In the red with mutating malware
This problem, all too familiar to the security pros tasked with protecting the banks from the threat of cybercrime, has been compounded by the rise of polymorphic malware. Polymorphic malware is designed to avoid signature-based detection software, as the code is automatically transformed each time it is delivered, so attacks can’t be traced back to a single piece of malicious software. To put the problem this creates into perspective, researchers at Columbia have shown there are many more possible strains of polymorphic malware than there are atoms in the universe. No amount of computing power can search the possibilities.
This is not a fight that the financial services industry, or indeed any other sector can win. We have to accept that computers are more like us than we think, and cannot reliably distinguish the good from the bad. Those trying to keep the banks’ systems secure need to dig themselves out of this reactive rut and look at how to build proactive defences, without relying on detection-based algorithms. To provide an effective line of defence, security technology should be focused on what it can defend: the user’s environment for individual workers within the bank. From application sandboxes to white-listing and behaviour analysis, the industry has the groundwork in place. But these solutions often come at a price – sacrifices to performance and user flexibility that affect productivity.
Virtualisation has been around for some time, but in an attempt to protect the user without compromising on performance, companies are starting to look at using virtualisation technology to secure their organisations. Microsoft, for example, recently announced that it plans to protect Edge browser users using its Hyper-V virtualisation technology.
Tipping the balance by letting malware run
Advances in modern CPU architectures have made it possible to create micro-VMs (virtual machines) that sit on the endpoint, and granularly isolate each user task in an individual, disposable virtual environment. These micro-VMs operate at the hardware level, meaning they can be created and destroyed in milliseconds for every task the user performs – from opening up an email attachment containing a seemingly legitimate financial report, to clicking on a link that takes them to a malicious landing page.
Because every new task is isolated in its own micro-VM with access to just the resources required for that task, when malware executes it cannot impact the underlying physical machine, or any of the other tasks in their own micro-VMs. The malware is unable to access other data, nor persist on the machine or access other systems on the enterprise network – it has nothing to steal and nowhere to go. This kind of micro-virtualisation could be the answer that banks are looking for, as users are protected by the CPU before malware is even detected. As such, cybercriminals can’t use their most successful tactics, such as phishing attacks, to gain a foothold on bank workers’ terminals from which they can leapfrog onto other systems to steal sensitive account information or capture logins to secure systems.
Running tasks in micro-VMs allows their behaviour to be monitored from outside the micro-VM, capturing a black-box flight recorder trace of their execution that can’t be erased by any malware running inside. The trace can be monitored for deviations from expected execution behaviour, thus indicating the presence of malware, even polymorphic malware. Full forensic data can be collected before the micro-VM is destroyed. This keeps banks one step ahead of their attackers, allowing a safe environment to collect intelligence on the latest hacking techniques being used against them and demonstrate that their customers’ finances are in safe hands.
Challenging the norm
By proving that the halting problem was ‘undecidable’ in computing terms, Turing demonstrated that an all-seeing algorithm that can predict anything cannot logically exist. The current approach to security is unworkable, and if banks continue to rely on detection-based software to keep the bad guys out of the digital vault, the hackers will continue to win. We don’t need ‘next gen’ detection software, we need to start again, and look at new technologies that won’t just turn the tide against cybercriminals, but will force hackers to meet on a battleground of our choosing.