Ioana Sundius

The Magic in ECAT’s Behavior Detection – Part 1

Blog Post created by Ioana Sundius Employee on Apr 19, 2016

Years ago, when the ECAT team was all of a handful of Canadians, I saw my first ECAT demo. Look Ma, no feeds, no signatures, no scans. It will still tell you what’s wrong, before your highly paid consultant can. At that moment, I was sitting in a demo room, surrounded some by exactly such highly paid consultants, eyes wide as onions! Wait, how?!!!


With STIX still a few years away, OpenIOC seemed poised for greatness at the time.  With roughly 2500 terms to describe conditions on the ground, a standard-based design leveraging XML and LUA parsers, and with thousands of attacks already described in the language, it looked like the best direction moving forward.


The catch, however: where do you start? Some private data showed up on a public server somewhere and now you’re staring at 50,000 endpoints with no clue where the culprit might be hiding. Until that demo, it was still a matter of intuition, discrimination, trial-and-error, as well as hiring the best minds for the job.  They looked for malware, relying on their thousands of ”secret sauce” indicators, a measure of their experience. They took the weekend, scanning. But the first question in anyone’s mind was still: “Am I targeted?” – which roughly (still!) translates into: “Will my intel help me this time?” (Fingers quietly crossed...)


Which is why seeing ECAT in action seemed so implausible. It did not just scan for sophisticated malware and their variants. It actually detected new malware.


Let me let that sink in: Without a feed, without a smart analyst, without any external support, IT FOUND NEW MALWARE.


Again... how?


Besides, it did so with little delays, no enterprise-wide down time dedicated to scanning and in seconds. The demo was only 10 minutes long. When I left that meeting, I started to question the direction the entire industry was taking.


You see, searching for specific malware is not only hard – but also fruitless. It’s a Sisyphus task: after all the work done in capturing, describing and sharing your opponent technique, a simple change can bring you back to square 1. Write to this directory, not that. What ECAT did radically differently was look for canonical behaviors. You can spend hours looking for all known variants of Zeus in on your endpoint, or you can simply look for generic capabilities shared across all malware, and maybe back it up with some data analytics to decide whether that behavior, in context, is likely to be bad.


ECAT won’t name it Zeus, but beside your Zeus, it will also find any other malware that shares behaviors like Zeus. How about all Zeus variants and then some?


Instead of shepherding thousands of IOCs, it had its detection engine built right under its hood. It was not trying to detect things on the endpoint itself. Instead it bagged-and-tagged relevant information and brought it to the server for analysis. Fast, flexible and smart.


When RSA decided to purchase ECAT, I felt a little bit jealous.


Fast forward a few years, and I do find myself with the opportunity to work directly with ECAT, and shape its path forward.


What has changed since then? One big visible difference, certainly, are the Instant IOCs (IIOC), which at first sight, seems to contradict the claim of signature-less prowess. So let’s look a bit closer to this feature.


ECAT continues to look for all malware, new and old, alike. Its Instant IOCs (IIOCs) describe the behaviors it’s looking for, and they enable workflow integration with other modules: things like Alerts, Syslog and so on. But at their core, it’s essentially still the same detection engine that took everyone by surprise. We simply let you see the queries.


Managing a library of thousands of known threats is hard. New variants are issued, scanning software changes, bugs are found (but fixes are rarely propagated). The authors move on to greener pastures – “how did this old indicator work?”. The fact is, while many superheroes find new and exciting malware and might even jot down the indicator to look for it elsewhere, as an industry, we find ourselves in a great dearth of doctors to maintain that treasure throve of thousands of entries in threat intelligence. In essence, that is the “Indicator Challenge”.


With ECAT, the list is small, and it comes right out of the box. Nothing to refresh, and for a product with a few years under its belt, that set of canonical searches have withstood the test of time with remarkable aplomb.  Even as new malware is created, the mechanisms of attack are curiously constant! IIOC maintenance is part of every ECAT release.


And therein lies the magic!


Next installments: When to create new IIOCs and a side-by-side dissection showing OpenIOC / STIX and IIOC triggering on the same malware. Known malware, to give them a chance!