Going Beyond Files: Destructive Object Analysis

Before we dive into outlining all the horrors of destructive objects, let's clarify an important point: File-level insights are still incredibly valuable to threat hunters. But files aren't the only way to sneak malware into your business - and so, file-level detection can't be the only type of visibility your security teams seek. In fact, that's the primary reason insights into objects is a critical piece of creating a stable security posture: if you don't have that level of visibility, you're missing vector after vector, likely never reaching the potential of a given detection and mitigation strategy.
Destructive objects, in short, are vulnerable and malware-infected destructive files, emails, attachments, binaries, and third-party and open source code snippets, typically packed together, e.g. a hidden active script and URL inside a PDF file or an impersonated certificate within digitally signed files. With that in mind, let's review some of the other key reasons destructive object insight - that is, insight beyond files - is critical to your security success.

1. Executables Only: A Thing of the Past

In traditional security protocols, running executables in a sandbox proved its value time after time. But, as they always do, threat actors adapted. Knowing that security teams expect to run malicious executables in a sandbox environment, these actors began to create workarounds. Beyond simple hang times (to wait out the patience of the employee running the file), they moved toward hiding malware in other shapes, giving it other properties — the kind that would never make it into the sandbox in the first place. If the protocol existed for a set of given file formats, the threats would materialize in a new or different format. If you've covered all executables, and all files are being pulled from the hard drive and then executed from the write to memory....well, you see where this is going. Why not skip the hard drive step?

In summary, executable-only detection measures aren't enough for slippery threats. Once they were ubiquitous, the landscape shifted. Object-level insight became invaluable.

2. Phishing: A Thing of the Present

Though phishing has always been a favorite attack vector for the inept and highly adept threat actor alike, it may seem that a decline in executable-only mentality would keep malware files out of your employees' inboxes. Not the case. Indeed, according to the 2019 Verizon Data Breach Investigation Report, 92 percent of malware is still delivered by email, making it the most common vector for malware there is.

And phishing is an excellent way to sneak a unique object (not just a file!) into the business. Specifically, phishing provides a mechanism for fileless malware (and file-based — that's not going away) to enter and work through your system by evading traditional defenses (see reason #1). Triaging high-priority attacks requires a breadth of knowledge about all objects entering and proliferating, including data strings your employees may never suspect - not just the dreaded, albeit classic and manageable, PDF download.

3. Supply Chain Attacks: A Thing of the Future

Yes, supply chain attacks are already in play. Yes, you are already likely attuned to them and looking in their direction. But in designing a stronger security program, you can't ignore the fact that these attack types are likely to become more common over time. Now is the moment to get ahead - and destructive object insight is a requirement.
SDLC supply chain attacks are, unsurprisingly, on the rise with the rise of shared code repositories. Granted, code sharing is a vital component of the success and speed of the development community; its value cannot be overstated or overlooked. But neither can its potential security implications. Even the most credible package manager repositories can allow a malicious snippet to slip through or can initially verify code that later changes as it proliferates through your business.

To cover the supply chain ground as packet manager repositories and their benefits become even more deeply integrated into your SDLC, it's necessary that you monitor these repositories and integrated development environments for suspicious content - not just suspicious files. As sharing continues with no sign of slowing, the health of your development lifecycle requires object-level insight. Perhaps even more importantly, the health of all business units and companies your software may ever reach depends on that insight, too.

The Right Direction

Good news: Destructive object analysis is critical, but not impossible to achieve. With solutions like Exchange/Office365 AbuseBox solution and SMTP Connector, you can gain visibility into areas analysts may otherwise miss (in favor of file-only triage practices). Every single link should be analyzed via static file decomposition, regardless of its shape, size or entry point.

Look for capabilities beyond existing email security gateways and email abuse box tools. With the largest repository of malware and goodware in the industry of more than 8 billion files and objects, ReversingLabs offers complete visibility and insight into every destructive object, regardless of its size, complexity or type, in a manner that optimizes existing enterprise security investments in email, endpoint, SIEM, sandbox, threat intelligence, file share and package manager solutions. ReversingLabs integration with these solutions enables teams to seamlessly incorporate findings into established business processes across security, IT, architecture and DevOps teams, so no angle — and no object — is missed.

Learn more about Destructive Objects from our Webinar recording: How to Identify Hidden & Destructive Objects in Your Environment: Insights into Supply Chain & Phishing Attacks