Art of Scoring Malware Detections – Friend or Foe?

Art of Scoring Malware Detections – Friend or Foe?

Art of Scoring Malware Detections – Friend or Foe?

Oliver Tavakoli, CTO, Vectra Networks
August 15, 2014

As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.

One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.

An example of this would be a desktop sharing application such as GoToMyPC where an employee decides to make her desktop accessible via her smartphone while she is out of the office. Scarier examples include Remote Access Tools (RATs) such as Poison Ivy, DarkComet or Blackshades that provide the same functionality, but are more highly correlated with targeted attacks.

The presence of external remote access detections in a customer’s networks usually leads to a discussion that places the customer in one of the following two categories:

  • The customer considers commercial remote desktop services and RATs as functionally equivalent. Both provide a means for an external entity to exert control over a machine on the inside of the network. RATs are more highly correlated with targeted attacks and commercial remote desktop services are more correlated with uninformed employees who don’t understand the security implications of using such services. But a targeted attack could just as easily make use of a commercial remote desktop service and an employee might use a RAT. These customers typically have a policy against any form of remote access that does not involve use of the company-approved VPN technology and will terminate all such connections and sometimes even the employee.
  • The customer considers commercial remote desktop services and RATs as very different. They want to see RAT detection accompanied by a high threat score and still want visibility to the commercial remote desktop sessions, but don’t want them to drive our conception of threat when there’s no other reason to view the host suspiciously. These customers typically have no explicit policy against the use of commercial remote desktop services. They want to see detection of this behavior, but will only treat it as a piece of information that helps form their view of the risk profile of an employee.

Threat scoring is an extremely malleable idea. When rational customers don’t agree on the importance of detecting something as potentially dangerous as allowing a connection from the outside into the core of their campus networks, it’s clear that the threat is in the eye of the beholder.

About the author

Oliver Tavakoli

Oliver Tavakoli is chief technology officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career – he is clearly doing the latter right now. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. Oliver joined Juniper as a result of its acquisition of Funk Software, where he was CTO and better known as developer #1 for Steel-Belted Radius. Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines and IBM. Oliver received an MS in mathematics and a BA in mathematics and computer science from the University of Tennessee.

Author profile and blog posts

Most recent blog posts from the same author

Artificial intelligence

Why it's okay to be underwhelmed by Cisco ETA

June 26, 2017
Read blog post
Threat detection

Don't Shed Tears When Peeling the Onion Router

November 11, 2014
Read blog post

Catch Attackers Attempting to Shellshock You

September 29, 2014
Read blog post