At Minerva we are proud of our products and believe in their ability to put malware to bed. That’s why we were happy to hear that we scored high marks in a recently published research paper that compared the performance of 31 top endpoint security products. Let’s review the details of the study, how Minerva Armor performed, and offer some insights on the findings.
An Overview Of The Research
Researchers at the University of Piraeus, have published the final version of a paper entitled “An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors” which compares a wide spectrum of industry leading EPP and EDR solutions against simulated APT attacks. The research tested 31 products against 4 custom crafted payloads designed to emulate APT in a Windows 10 environment. Minerva Labs stopped an impressive
3 out of the 4 attacks, ranking among the top performers. In order to understand the details of how Minerva Armor scored, we should review the testing process. The researchers put each EPP through a set of tests designed to test resilience against know APT attack techniques. The four tests are briefly described below, and more technical descriptions including some source code can be found in the original paper [1].
- CPL Binary Attack – A CPL file was manually executed under the context of
the native Windows binary rundll32. - DLL Side-loading Attack – Microsoft Teams was used to load a malicious
DLL and execute a malware payload under the context of the MS Teams
application. - Portable Executable (PE) Attack – An EXE file crafted to disguise itself as an
explorer.exe child process and bypass an unsigned Microsoft DLL event
was executed on the target system. - VBScript Phishing Attack – A VBScript downloaded in a malicious link via a
browser HTML Application (HTA) file was successfully executed under the
context of mshta.exe.
Taking it To The Real World
So in a controlled academic environment, we got great results. Let’s talk about what happens in real life. In the real-world environment, malware and ransomware seeks to establish a presence on the target network, and then achieve their main goal of encrypting files and demanding ransom, exfiltrating valuable data, or deleting files to cause harm to an organization.
In order to achieve these goals, APT malware is designed to be as stealthy as possible, using evasive techniques to avoid detection from antivirus software (AV) and other endpoint protection platforms (EPP).
Minerva’s prevention strategy uses the malware’s evasive techniques against it.
The more evasive the malware tries to be, the easier our modules can identify and prevent it from achieving its initial goal of establishing a presence on your network.
Our strategy to directly block malware execution when it presents evasive behavior fills a critical gap in existing AV, EPP, and EDR solutions. As the University of Piraeus research results demonstrated, merely detecting and pushing an alert to human SOC team members is less effective at stopping the initial infection and stopping malware before it has time to achieve
its primary goals.
How Minerva Ransomware Protection Modules Effectively Respond
Process Isolation Module
Similarly to Minerva’s Browser Isolation Module (BIM) our Process Isolation Module (PIM) isolates the execution environment and protects assets on the host.
If malware attempts to exploit an application to gain access to other files on the system, our PIM blocks access. The malicious search is identified and unable to find any files.
For example, under normal context, MS Office documents do not access other files or send data over the Internet. If an embedded macro tries to access or launch another file, or steal sensitive
data, Minerva’s PIM takes action and blocks access.
Critical Asset Protection Module
Minerva’s Critical Asset Protection Module (CAPM) allows administrators to identify and flag important files, effectively preventing those files from being modified or accessed, unless by a specific designated process.
For example, ATM machines use DLL files to perform critical actions such as dispensing cash. Malware could attempt to hijack the ATM by accessing those critical DLLs and trigger cash to be dispensed. Minerva’s CAPM protects critical files against unauthorized access. The CAPM can be used to protect system files that contain password data, databases with merchant payment data, or other sensitive information from being accessed by attackers.
Execution Block Rules
Whitelisting or “”Accept-listing”” applications is considered the gold-standard of defensive endpoint security because it offers the highest level of protection. After all, it represents the ultimate defensive security end-goal; to only have applications and processes that you want operating on an endpoint.
Minerva’s Execution Block Rules are context-based advanced whitelisting that strictly designate which applications and processes can execute and under which context.
For example, under normal context, there is no reason for basic Windows tools such as Notepad, or MS Office applications to execute PowerShell commands.
Our approach to using context awareness to prevent the loading of DLL and CPL files from anomalous locations means our product is able to block a higher number of attacks without relying on a known malware signature. This ability unequivocally increases the security that Minerva Armor delivers, and contributed to our score being among the best performances in the
aforementioned endpoint security research study.
Conclusion
The APT attacks simulated by researchers showed that Minerva’s Armor solution is able to prevent a diverse set of attacks much better than most EDR solutions on the market today. In the real world, Minerva’s Hostile Environment Simulation platform offers a wide and flexible toolkit which prevents malware attacks at the earliest stages, preventing any damage from occuring at all, unlike traditional “”detect and respond”” solutions.
Resources
[1]https://arxiv.org/abs/2108.10422