MITRE ATT&CK vulnerability spotlight: Obfuscated files or information

Introduction

MITRE helps support the U.S. government’s R&D efforts by acting as a Federally Funded Research and Development Center (FFRDC), a non-profit organization dedicated to acting as a trusted development and testing organization. One of the fields where MITRE performed research is cybersecurity.

The MITRE ATT&CK Matrix is probably the most famous product created by MITRE in the cybersecurity domain. This tool breaks down the cyberattack life cycle into a series of stages and describes the various means by which the attacker can achieve the goals of each stage.

One stage of the attack life cycle used by MITRE is Defense Evasion, where the attacker attempts to bypass or defeat protections or detection tools put in place by the defender. And one means of accomplishing some of the goals of defense evasion is through the use of obfuscated files or information.

What are obfuscated files or information?

Many cybersecurity detection products (antivirus, IDS and so on) are designed to work based on signatures of malware. Once a particular malware variant has been identified in the wild, unique features of the malware are extracted and used to detect and identify it in future infections. Every piece of data passing through the network perimeter or being downloaded to a host is compared to these signatures. If a match is found, action is taken (deletion, quarantine, alerting and so on).

Sponsorships Available

Sponsorships Available

Sponsorships Available

The goal of obfuscation is to defeat these signature-based detection systems and to increase the difficulty of performing a forensic analysis of a malware sample. If the data or code that a signature is based upon is obfuscated in some way, detection engines looking for the plaintext signature will be unable to find a match.

There are many obfuscation algorithms in existence; however, many of them can be classified into a few (Read more...)