What exactly are Evasion Techniques?

Evasion techniques are what malicious payloads use to avoid detection from Sandboxing services, Malware authors have two priorities when creating malware, being silent and being deadly, getting as much as they can for as little effort as possible.

We thought it’d be wise to talk about how effective these evasion techniques are against traditional sandboxes and how we as Libraesva handle them in our Email Security Gateway.

My Top Evasion Techniques

Polymorphic Code – Code commonly used to bypass pattern and hash based detection, the malware modifies itself in delivery to other locations, thus effectively being really hard to track and detect. Polymorphic attacks don’t have a single detectable signature, Shikata ga nai meaning (“It cannot be helped”) is a popular polymorphic encoder inside metasploit’s framework making it relatively easy to turn malicious code into polymorphic code.

This technique specifically involves encoding the payload in some fashion, then placing a decoder to undo that mess in front of the payload before sending it. When the target executes the polymorphic code, the decoder is run first which rewrites the subsequent payload into its original, malicious and nasty form before executing.

 

User and System Interaction Detection – Users interact with computer systems in different ways, they are unpredictable in some essence, which makes them obvious to spot. They press keys on a keyboard in a specific way, scroll with the mouse wheel and click on things with the mouse. However, there are no interactions this bespoke in a Traditional Sandboxed environment. Malicious hackers teach malware to wait for a specific user interaction before exhibiting their malicious behaviors.

Examples of this is executing after you scroll to a particular place within a word document, using paragraph codes in Word files, Trojan.APT.BaneChan activates only after a certain number of mouse clicks are made by a user, other examples of this are timing the speed of the mouse movement and halting all code unless the mouse moves at a human’s speed.

Other system checks malware perform can be the Core Count technique, allowing malware to find differences between virtual and physical system CPU cores. Many sandbox vendors hide their system settings and hardware so when the system check is done, the coded malware is returned with null, which is a good sign for malware to stop running.

Lastly one of my personal favourite checks is the reboot check, where the malware checks to see if reboot triggers are executed in full, Sandboxes can try to emulate a reboot by logging out and back in as users and sleeping the system, however these never fully run all reboot triggers. The main reason this is such a useful evasion technique is due to most Sandboxes not being able to survive true reboots. So if you make your malware run after you switch the machine off and back on, you’ll rarely detonate on a sandbox environment!

 

Obfuscation of Internal Data – Some sandbox evasion techniques consist of malware being allowed to change and encrypt, similar to the polymorphic examples referenced above, however this is more simple to run and can help you target attacks to specific organizations.

Fast Flux is a technique of changing DNS names and IP addresses rapidly, mainly used by large botnets that aim to hide themselves from phishing detection systems. It allows malware to bypass blacklists that most security solutions create. Some malware is known to change its domain names as fast as every 10 minutes.

Data Encryption can be a quick way to win big, encrypting API calls so that traditional sandboxes can’t read the APIs, usually multiple encryption keys are used to protect the malware from brute force decryption detection.

 

How does Libraesva’s Sandbox get around this?

Traditional sandboxes are in a constant fight to catch up with malware authors in understanding their evasion techniques and the malware’s specific behaviors. This is sometimes known as a cat and mouse game.

Malware constantly evolves and security teams constantly research.

Libraesva’s QuickSand Sandbox deploys a pragmatic method to stopping these threats by looking directly at the evasion techniques and signs that things could be malicious, not the malicious act itself. QuickSand is a preventative sandbox which utilizes evasion techniques to protect you and your users.

Our Head of Research and Development Rodolfo Saccani told me once “A man walks into a bank with a mask over his head, does the bank care what the man plans to do? No, they’ve already alerted the police.” This way of explaining evasion techniques and how to use them as identifiers sticks with me and helps me define what Libraesva’s threat approach is like, we look less at who he points the gun at or why is he asking for the bank’s money, but more at the identifiers of the man being malicious i.e. the mask over his head and the gun in his hand.

QuickSand directly looks at things within documents that scream “I’m a bad document” an example of this is if a word document you’ve been sent has JavaScript embedded inside of is, we don’t care what the JavaScript is doing, we’ve already cleaned the document and disarmed it of any active java code because in a typical working environment, this isn’t a legitimate use of JavaScript.

QuickSand is also available directly on the appliance, meaning your files and data don’t leave the Libraesva appliance, we aren’t sending anything to a cloud virtual machine sandbox, we process everything in seconds on your own Libra machine.

So next time you are cleaning up a breach or patching holes in your network, try finding new ways to prevent threats, preferably looking at them before they are detonated, to try and find patterns and warning signs of them being malicious!

Did I mention that our sandbox is included in Libraesva’s Email Security Gateway?

 

Thanks for reading this! If you think it was beneficial let me know, and provide any feedback you can to me and the team over on LinkedIn or YouTube!

We proudly announce that we have won the award of “Best Email Security Solution of 2019” at the Computing Security Awards!

Many things have changed since 2014, the first time we have been named winning: we had Libra ESVA – Email Security Virtual Appliance, a very efficient antispam; nowadays we have the Best Email Security Gateway that protects your business, detecting all types of cyber threats and attacks spread via email, not just spam!

You are our success and we would like to thank you and all our supporters for voting Libraesva ESG!

 

The 4th Libraesva Partner Summit, occured on May 24th 2019 at Cà del Bosco vineyard, was a great success!

It was a unique opportunity to meet our team, deepen knowledge of Email Security and Email archiving solutions, and discuss with our technology partners, Palo Alto Networks and Cofense.

A result achieved thanks to our partners participation and loyalty in our project.

Libraesva would like to thank all the participants and those people who collaborated to the success of the event!

 

New distribution contract signed by the leading Italian company with Blue Solutions Ltd, the UK company specialized in the MSP channel, to protect the safety of business data exchanged via e-mail.

 

Milan/London, 11 April 2019 – The email security landscape confirms for 2019 an increase and diversification of cyber-attacks and infections caused by malware and ransomware in particular, with threats aimed at reaching users increasingly on their mobile devices. Dealing with this scenario, and extending the effectiveness of solutions designed to protect the security of corporate communications and businesses is the aim of Libraesva – a leading company in the field of email security – that today announces the signing of a new distribution agreement with Blue Solutions Ltd for the British and Irish markets.

 

Blue Solutions Ltd is a leading value-added security software distributor that has been successfully connecting IT channel partners to profitable Cyber-Security, Backup, Disaster Recovery and ITSM solutions that address end-customers’ critical needs, since 2000. It is unique for its extensive technical expertise, vendor-accredited personnel, Professional Services capability and service provider (MSP) focus – plus its no-commit, PAYG contracts, flexible billing, and easy online management tools.

 

Thanks to the new partnership, which provides for the distribution of Libraesva solutions in the British and Irish markets, the Italian company will strengthen its presence in this additional European market, where Libraesva foresees far-reaching market development opportunities.

 

Through Blue Solutions Ltd, Libraesva’s suite of proprietary services and technologies – including the Email Security Gateway, the Email Load Balancer and the Email Archiver – is now within the reach of companies based and operating in these two English-speaking countries, enabling the successful delivery of advanced and certified information security and cybercrime prevention.

 

The collaboration with Libraesva puts a real edge on the risk, compliance and GDPR-focused products and services we offer to British and Irish businesses, who need effective, economical, easy to manage solutions to deal daily with the issue of data protection for email that is sent across  different devices,” said Mark Charleton, Co-Owner of Blue Solutions.

 

Paolo Frizzi, CEO of Libraesva, comments as “Companies of every State and Nation are targeted by cybercriminals who, through the oldest and most widely used digital communication channel in existence, namely e-mail, aim to check the IT departments as well as the intellectual properties and sensitive data of entire communities of people, employees and managers. We are pleased to be able to count on Blue Solutions as a Partner to bring our solutions to the attention of those who still rely on systems that have gaps unable to guarantee due protection over time to the enterprise environment.

We are proud to announce that we have been re-named a finalist in the SC Awards 2019 Europe!

Libraesva Email Security is recognised in the Best Email Security Solution category, which acknowledges superior products and services that help customers to address the most dangerous cyber-security threats.

Winners will be announced at the SC Magazine Awards Europe ceremony to be held in London on Tuesday 4th June.

The SC Magazine Awards Europe are the information security industry’s most prominent recognition. Winners are decided by an expert panel of judges, hand-picked by SC Magazine UK’s editorial team for their breadth of knowledge and experience in the information security industry. The awards honour both the cyber-security professionals working in the trenches and the products and services that help arge and small organizations across the globe, ensuring their business from a myriad of highly targeted and ever-changing threats.

This is one of the most anticipated IT security events of the year and promises a great celebration as well as invaluable networking opportunities with some of the top corporate IT professionals in the country.

Next Generation Email Archiving: protects business critical information, simplifies compliance, improves employee efficiency!

While the digital era is changing many things, email is still the favourite tool for corporate communication: 2,7 billion email are sent and received each day worldwide in 2018 and this number is  constantly growing.

Different kind of messages are shared each days between employees and stakeholders: invoices, contracts, bussiness information and sometimes also sensitive data.

Keeping track of each one can be hard;  information sent by email generally remains in the mailboxes of the users without being stored anywhere else. But a growing number of regulations on email compliance and other legislation ask us to do it.

How to do it? Email archiving is the answer and we have officialy released the Libraesva Email Archiver, a powerful and simple solution for email Governance, Risk and Compliance, that provides rapid e-Discovery with instant full-text search.

KEY FEATURES & BENEFITS

1. Up and running in minutes guided by user-friendly wizards
2. No customer lock-in, data is stored in open formats. No need for proprietary software to export your email archive
3. Email import from SMTP Journaling, Exchange, Office365, POP3, IMAP, PST, eml archives
4. Multiple storage support: local, lan, cloud object storage
5. Folder replication: maintains the folder structure of your mailbox
6. Enhance mail server efficiency and boost employee productivity: can offload your mail server and provide instant search results
7. End-user features through native Outlook plug-in and/or responsive web interface

REGULATORY COMPLIANCE

1. Quick complex and detailed searches
2. Data Privacy and security by design to maximize compliance and minimize legal risk
3. Certified time-stamping of each archived email (RFC3161)
4. Legal Hold
5. Email Encryption (AES256)
6. Granular Permissions: over 80 distinct permissions allow to create granular user roles
7. Privacy officer management: access to sensitive data can be subject to approval
8. Auditing and anti-tampering

WHY DO TOU NEED LIBRAESVA EMAIL ARCHIVER?

1. Protects you against legal risks where you need to refer to an email which may have been deleted from an employee’s mailbox; an email archiver is a secure storage data repository that provides organizations with protection and support during legal proceedings, making it easy to access and find the required documentation (e-Discovery)
2. Boosts employee productivity by making it quicker and easier to search for and find emails
3. Enhances mail server performances and storage needs are optimised
4. Makes data available and accessible in the event of any downtime, planned or unplanned so that the risk of data loss is minimized

Libraesva offers an end-to-end Email Encryption service to ensure confidential communication stays private and secure.
The emails are encrypted and stored on the senders Libraesva Email Security Gateway appliance to ensure your files and encrypted emails are not sent outside of the network.

When an encrypted email is sent, the recipient receives an email alert notifying them that they have received an encrypted email. By accessing the link and entering their email address and encryption key. The user can then read and respond to the encrypted email. You can keep the same encryption key per recipient or have a new key generated every time depending on your preference.

 

Email Security IoC Feed Integration

Libraesva and Palo Alto Networks signed their parthership in order to share enterprise security tools and to make organizations aware about their attack surface as well as take advantage of  information and intelligence collected by the security products to improve overall protection against cyberthreats.

Libraesva uses a simple, pragmatic approach to stop email-borne threats. Thanks to its suite, with the Email Security Gateway, Email Load BalancerEmail archiving and Threat Intelligence Portal, Libraesva provides security, continuity and compliance.

Palo Alto Networks provides a Security Operating Platform to prevent cyberattacks. The platform empowers you to confidently automate threat identification and enforcement across cloud, network and endpoints using a data-driven approach and precise analytics.

Palo Alto Networks and Libraesva work together to block exploit, ransomware, malware and fileless attacks to minimize infections of endpoints and servers.

The integration provides:

  • High threat detection thanks to Palo Alto Networks next-generation firewalls with indicators of compromise, or IoCs, captured by the Libra ESVA email security gateway. Many of these IoCs are unknown to any other sources.
  • Identification of malicious activity, such as data exfiltration attempts, compromised user accounts and rogue processes.
  • Automated, streamlined incident response to reduce organizational risk and stop threats by capturing malicious domains and adding them to a Palo Alto Networks Next-Generation Firewall policy

 

                           

The 3rd Libraesva Partner Security Meeting occured on May 18th 2018 and the Nicolis Museum, was a great success!

The Libraesva Team met the most important Partners and shared with them cyber and e-mail security news, retracing the way and the improvements that made Libraesva a strengthened reality with an International view.

A result achieved thanks to our partners participation and loyalty in our project.

Libraesva would like to thank all the participants and those people who collaborated to the success of the event!