Why Signature-Based Detection Struggles to Keep Up With the New Attack Landscape

PUBLISHED ON December 6, 2021
LAST UPDATED July 26, 2022

Change is an inherent part of cybersecurity as attackers constantly look for new ways to evade and subvert existing controls. However, every once in a while, attackers or defenders will make an evolutionary leap forward that goes beyond the incremental back and forth that normally defines the threat landscape. In these cases, security teams can find that their security tools are built for playing checkers while the attackers have moved on to playing chess.  

Application security is in the midst of one of these evolutionary transitions. For decades, security tools have been built on regular expression rulesets designed to detect individual malicious events. Attackers have evolved in a variety of ways to avoid triggering these rules. Attackers now use malicious automation to blend in with valid end users and abuse exposed application functionality. They blend techniques and tactics while remaining low-and-slow to avoid setting off rules. They operate in a distributed fashion, constantly rotating across IP addresses and other infrastructure to avoid drawing too much attention to any individual host. 

We recently published a guide on this topic, What Lies Beneath: What You Need to Know About the Modern Threat Landscape, and are now kicking off a related blog series where we will look at the specific techniques that attackers use in order to remain hidden and below the waterline of traditional security tools. And of course, an evolutionary leap in attack techniques demands an evolutionary leap in security tools, so we will see how ThreatX brings a new approach that arms security teams to deal with today’s most advanced threats as well as whatever comes next.  

But before we dive into individual techniques and attacks, let’s pause to look at the big picture to see why so much enterprise risk remains below the surface. Specifically, let’s take a look at three big trends that are fueling the AppSec iceberg. 

#1 – Attackers Have Stretched Out the Timescale 

Traditional security tools have very short attention spans when it comes to detecting threats. WAF detection logic is often limited to analyzing a single request for specific regex pattern matches. Other rules will count events over a very short time range in order to find obvious patterns such as a flood of traffic or login attempts. In either case, the analysis window is very narrow, ranging from sub-second to a minute or two.  

So what do you do if you know your adversary has a very short attention span? You slow down. And this is exactly what attackers have done. Attackers have all the time in the world, and they only need to win once in order to have a successful attack. So instead of operating on a scale of seconds, they can progressively develop an attack over days and weeks. They can patiently probe for weaknesses, test exposed functionality, and progress their attack on a timescale that is orders of magnitude longer than WAF signatures are built to analyze.  

This means modern security tools need to have very long-term memories. Just as importantly, they need to be able to use these memories and context in real-time so that attacks can actually be prevented and not simply detected after the fact. 

#2 – Attacks Are Blended 

Modern attacks also leverage a variety of techniques toward a common goal. This blended approach takes advantage of the specialized and silo’ed nature of many security tools. For example, organizations may have a tool for exploits, a tool for bots, a tool for DDoS, a tool for behavioral anomalies, and so on. Even when security vendors consolidate these functions into a single product, they typically exist as multiple separate point products bundled into a single chassis or SKU. This ends up being more of a “big box” packaging option that doesn’t do the hard work of synthesizing all the different perspectives into a single security context.  

This is important because attackers are no longer one-trick ponies, but instead, pick and choose whatever techniques will help further their attack. For example, virtually all attacks will leverage some form of automation, whether that is using bots to attack application functionality, scan for exposed vulnerabilities, or any number of other actions. DDoS techniques can be used to overwhelm and distract security staff or provide cover for more sinister account take-over techniques. 

Traditional security tools will fail to see the context and connections between all of these interrelated events. The vast majority of AppSec tools are like a brain with only one sense. Even many solutions that bill themselves as a WAAP are like a car full of four or five people, each with a single sense. Coordinating all the different perspectives in real-time becomes almost impossible. A true WAAP must have a single brain that takes advantage of multiple senses. All available perspectives must be used in real-time to deliver the most accurate answer available.  

#3 – Evasion Is the Great Enabler 

We will look at specific evasion techniques in more detail in coming blogs; however, we’d be remiss if we didn’t cover the critical role evasion plays in the strategy of modern attacks. So far, we have talked about how attackers can slow down and blend their techniques. Evasion techniques further amplify these strategies by providing a constantly moving target that makes it almost impossible for traditional security tools to connect the dots.  

Attackers can employ massive botnets of compromised hosts, allowing their malicious actions to be distributed across many hosts or IP addresses. Attackers can manipulate their automated attacks to change their user agents or other traits to make it hard for defenders to key off of any one indicator. 

These examples are just scratching the surface of how evasion is being used today. However, it underscores why ThreatX invests so heavily in attacker-centric technologies. These techniques allow the system to challenge, interrogate, and fingerprint attackers. This lets the platform see the actual attacking entity even as the individual hosts, IPs addresses, and other assets change. 

To learn more, check out our new guide, What Lies Beneath: What You Need to Know About the Modern Threat Landscape

And stay tuned for more entries in this blog series. Next up, we will start to dive into some of the specific threats that make up the AppSec iceberg.


About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.