In the face of the often cited Advanced Persistent Threat, most large IT environments complemented their attack landscape with so-called advanced malware detection solutions. Those solutions extend typical signature-based malware detection mechanisms with behavior-based analysis methods, detecting malicious actions in the execution trace of samples. Execution traces are created using mechanisms like emulation, hooking, or introspection and analyzed using heuristic approaches. Since many environments rely on this technology, we will describe the capabilities and limits when it comes to APT detection and mitigation for two major products. Their capabilities were analyzed in several customer projects as for the effectivity against recent attacks, which were developed based on the analysis of recent incidents. We will provide an overview which attack scenarios and primitives will be detected (and also how to bypass certain restrictions).
Matthias Luft is a security researcher and heads the German security research company ERNW Research. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.