In Defence of Signatures – They Don’t Suck

You’ve heard it before — Signatures suck.

This trope is so common that you even have RFPs specifically banishing signatures as if they’re some shameful pariah step-child.

It’s a Friday evening, so we’ve decided to step up and defend the undefended. As is typical in our hype-fuelled industry, there’s more to be explored and understood here.

Detection v/s Identification

It’s a matter of language. You see, signatures are far from bad. Their miserable reputation stems from the company they kept in school — that nasty second word, ‘detection’.

Let’s get this out of the way — ‘detecting’ stuff with static signatures is usually, always A Bad Thing (™), but ‘identifying’ stuff with signatures actually rocks. Very hard.

Here’s an experiment. You’ve been given a 10 GB PCAP. There are (at least) three attacks going on. How are you going to identify what they are?

Go on… dice that baby like Martin Yan with Wireshark… whip out your hex-editor, conjure up your disassembler, use Solarized as a colorscheme if you’re getting really hardcore. Time yourself, you maestro of packets…

Now go: snort -r foo.pcap

In this case, you’re detecting AND identifying the bad stuff with signatures. A small modification to the attack would obviously mean you miss detecting it (very bad).

However, if you have an alternate detection approach (e.g. behaviour, deception, anomaly detection, in this case, perhaps Bro-IDS), then signatures become very useful for the ‘identification‘ part. They let you very quickly pull out things that we already know are bad.

You don’t see DFIR folks hating on Yara do you? Of course not… it’s using signatures to identify what we already know is bad (if you’re using it for detection, that’s a problem).

So signatures rock. That’s right, we said it. They’re like selfie sticks — to be used at an appropriate time.

But My bandwidth!

Okay, so besides hating on the brittle-ness of detection, what else do people dislike about signatures?

There’s that old antivirus bug-bear of ‘updates’ — thousands of endpoints slavishly pulling down the latest sigs. Very 90’s.

Once again, this doesn’t matter if you’re doing centralised identification. You’ve got (probably) a single system pulling down a daily update, or some solution up in the cloud. As long as it’s not pushing stuff to your nodes and chewing bandwidth, why do you care?

That signature update is going to take the hard work off your analysts to instantly identify stuff that we already know how to deal with. Suddenly sounds like a winning proposition.

Hello Pot, Meet Kettle…

Ask your DFIR rockstar what’s the first place she goes with a shiny new malware sample. Chances are, you’ll hear VirusTotal (yeah, yeah, caveats of non-sharing samples, and in-house analysis platforms aside).

Sure, there’s a lot of heuristics and fancy detection mechanisms on there now, but often she’s just looking for that quick flag on ‘Riskware/PsExec’. What’s wrong with that?

Fun thought: Why do so many vendors that claims behavioural / ML / what-have-you approaches finally plug into everyone’s favourite multi-AV scanner? Beyond the marketing hype, there’s definitely signatures involved.

Make Signatures Great Again

So somewhat tongue-in-cheek, let’s all promise to insist that solutions use signatures for identification, and restore them to their rightful place in the cybersecurity pantheon.

To all the IDS and malware analysts sweating away over unique byte sequences — we salute you!

Next week: We defend MD5 and PERL scripts /sarcasm.

Disclosure #1: Smokescreen only ever detects stuff with deception because that’s just how we like to roll; but of course we love using signatures to identify naughty things. Ignoring them would be plain stupid. We do, however, really enjoy arguing against conventional wisdom.

Disclosure #2: Smokescreen doesn’t actually believe there’s ever an appropriate time for selfie sticks. Unfortunately, our head of engineering disagrees.