The history of cybersecurity is the story of an endless arms race between attackers and defenders: at the dawn of the computer age, when viruses were static and predictable, signature analysis was the main method of protection. It has long been the gold standard, but today it demonstrates a critical vulnerability: in order to create a signature, someone (often "patient zero") must first suffer from an attack, then the sample must get to the analysts, and only after that an update is released. In a world where cryptographers paralyze the infrastructure in minutes, such a time lag is unacceptable. Moreover, the attackers have learned how to create malware that changes its digital fingerprint with each new download (and this makes the signature database useless against targeted attacks).
There was a need for a method that evaluates not the "appearance" of a file (its code), but its "intentions" (behavior), and it is this method that we will talk about today. The purpose of our review is to talk about dynamic behavioral analysis and its application in information security today.
Table of contents
1) Differences between static and dynamic (behavioral) analysis
2) Analysis in the Sandbox
3) Zero-day threat detection
4) Protection against cryptographers (Ransomware)
5) Polymorphic and metamorphic viruses
6) Indicators of compromise (IoC) and attack (IoA)
7) Conclusions
1) Differences between static and dynamic (behavioral) analysis
We have already touched on a similar topic, which also has static and dynamic analysis, when we talked about source code analysis and secure development, but we will briefly recall the main differences.:
- Static analysis examines the sample "at rest", without performing it. It works quickly and safely (because the code does not run) and helps not only to find vulnerabilities in the code, but also frequent errors. However, like signature analysis in information security, the static method does not detect runtime problems, encryption vulnerabilities, and also generates a large number of false positives. This can be compared to how if you decided to prepare your house for the New Year's celebration using a whole bunch of TikTok videos: each blogger will have his own to-do list, and you can improve your shopping list or decorate the Christmas tree in a new way, but there will be a lot of information, and data that was not there. in the video, you won't either.
- Dynamic analysis is a "black box" method, when the system does not look inside the code, it runs the program in a controlled environment and monitors the results of its work. It's as if you used your past experiences or, like Dr. Strange from the Avengers Squad, simulated thousands of universes where you prepare for the new year. In cybersecurity, this method allows you to find zero-day threats, ensure resistance to obfuscation and polymorphism, and identify real malicious behavior (for example, an attempt to encrypt a disk). This will require resources, but it gives higher accuracy.
So in our topic today, if earlier antivirus companies collected samples of malicious code, allocated unique byte sequences (signatures) and sent updates to users. This approach worked on the principle of "If we've seen this before, we'll stop it." But the modern threat landscape has changed dramatically, so modeling, sandboxes, and dynamic analysis, which are used in conjunction with them, help to adapt.
2) Analysis in the Sandbox
The Sandbox (or Sandbox) is the technological embodiment of dynamic analysis: It is an isolated environment created for the safe execution (detonation) of untrusted programs. The whole point of the technology is to create a virtual environment in which the malware sees the user's real computer. But in fact, it is completely controlled by the security system. Let's look at how it works:
a) A suspicious file is extracted from the data stream (email, web traffic, USB flash drive download, etc.).
b) The system deploys a virtual machine (operating system, account, and a set of programs).
c) Monitoring agents are being implemented in this environment: Kernel-mode hooks, user-mode hooks, and others. These tools will log all program actions.
d) The file is run for execution, the system emulates user actions: mouse movements, clicks, scrolling pages to provoke the virus to activity. This stage is called detonation.
e) For a certain period of time (usually several minutes), all changes to the file system, registry, RAM, and network connections are recorded.
f) The collected data (behavior logs) are processed using heuristic rules, correlation analysis, and machine learning (ML) algorithms to reach a verdict: "dangerous" or "safe."
g) The virtual machine is destroyed and the environment is returned to its original clean state for further analysis. If everything was safe, the file can be opened in reality.
The term itself comes from a children's sandbox in the yard, a fenced–in space where children can build and break anything without damaging the surrounding garden. In the context of information security, malware can "break" the system inside the sandbox, but the real corporate network will remain intact.
The malware (like the main character in the movie "The Truman Show") lives in an artificially created world, believing that it is real. She interacts with the environment (scenery), but her every move is recorded by thousands of hidden cameras (analysis sensors), and the director (security analyst) can change the script or stop the action at any moment.
Dynamic analysis is particularly effective against specific classes of threats that bypass traditional protection. Let's look at them in detail.
3) Zero-day threat detection
A Zero-day threat is an attack that exploits a vulnerability that the software developer does not yet know about or for which a patch has not yet been released. The defenders have "zero days" to prepare, there are no signatures, but the sandbox helps. She doesn't look for a code match, but sees an anomaly (as in the UEBA module of the Security Vision platform): if a Word document tries to launch PowerShell and download a file from the Internet after opening, it's suspicious, regardless of which vulnerability is being exploited (old or zero–day). The behavior betrays intent, and the system creates suspicion of an incident.
Imagine that a robber has a unique master key that the lock manufacturer does not know about. The security at the entrance (static analysis) lets him through because the key fits, but the surveillance cameras inside the building (dynamic analysis) record that the guest has started hacking the safe. It doesn't matter how he got in (in our case, through the zero-day vulnerability), it's important that he breaks the rules of behavior and tries to steal something.
4) Protection against cryptographers (Ransomware)
Ransomware, or cryptographers (as a type of malware), is one of the most destructive threats to businesses. Their goal is to deprive the victim of access to the data. To protect against such threats, dynamic analysis identifies them by specific actions, such as mass opening of files for reading/writing in a short period of time, attempts to delete shadow copies of Windows to prevent recovery, generation or download of encryption keys, modification of file headers, etc.
Ransomware creates a "Gordian knot", i.e. a problem that cannot be solved delicately, it needs to be cut down (delete the system/restore it from backup) or pay the attacker. In real life, it's like a kidnapping, where the perpetrator takes a hostage (data) and leaves a ransom note. Dynamic analysis acts like a capture group that breaks in at the moment when the perpetrator is just beginning to bind the victim, because these actions are detected as suspicious.
5) Polymorphic and metamorphic viruses
The viruses themselves are also not far behind... Recently, real masters of disguise have appeared: polymorphic viruses encrypt their bodies with different keys with each infection (the malicious part itself remains unchanged, but is encrypted, and the decryptor is constantly changing), and metamorphic viruses completely rewrite their code with each iteration (change instructions, add "garbage", change register logic), while maintaining functionality.
This disguise is similar to the flu virus, which is constantly mutating, changing the protein shell in order to deceive the immune system. But the symptoms of the disease (fever, cough) remain the same. Dynamic analysis is a doctor who makes a diagnosis based on the symptoms, not the appearance of the virus.
Static analysis sees a "new" file every time, but dynamic analysis waits for the launch moment. In order to work, the virus must decrypt itself in memory and execute malicious code, and at the same moment the disguise disappears.
6) Indicators of compromise (IoC) and attack (IoA)
The result of dynamic analysis is not just a verdict, but a set of data that is used to strengthen the entire protection system. It is important to distinguish between two concepts here:
Indicators of compromise (IoC), digital evidence left behind after a malicious act. This is static data that says: "You have been hacked" (for example, the hash of a malicious file (MD5/SHA256), the IP address of the C&C server, the domain name, the registry key created by the virus). They are used to block already known threats and to investigate incidents (forensics). It's like in physical forensics, when fingerprints, shell casings, blood drops, and shoe marks left by a robber in a bank after a robbery are collected by the police. Investigative officers enter everything into the database and can catch the criminal if he "inherits" somewhere again.
Attack Indicators (IoA), dynamic patterns of behavior that indicate the intention to commit an attack or that an attack is taking place right now (for example, launching PowerShell from under Word, attempting a process svchost.exe write the file to the startup folder, scan the internal network from the accountant's workstation). They are used to proactively prevent real-time attacks. It works like analyzing the behavior of a person who walks around a bank, checks surveillance cameras, puts on a mask, and takes out a crowbar. The robbery has not happened yet (no money has been stolen), but the combination of actions (indicators) allows the security to intervene and prevent the crime. The IoA focuses on the tactics of the criminal, not on his appearance (fingerprints/signatures).
7) Conclusions
Dynamic behavioral analysis represents an evolutionary pinnacle in malware detection methods. The transition from static signature matching to deep real-time behavior analysis has allowed the security industry to even out the odds in the fight against cybercrime. The sandbox is the main tool for implementing dynamic analysis, but requires constant improvement to combat evasion techniques, and maximum efficiency is achieved by integrating sandboxes with solutions like SOAR, EDR (which is part of Security Vision SOAR) or NGAV, turning local IoC detection into global immunity for the entire organization.
