Signatures - secuguru/security-terms GitHub Wiki
Signatures in cybersecurity refer to predefined patterns or characteristics that are used to identify malicious activity or threats in a system. Signatures can be applied to both host-based and network-based environments to detect indicators of compromise (IOCs) or known malicious behavior.
1. Host-Based Signatures:
These signatures focus on detecting suspicious activity or changes within a particular host (e.g., a computer or server). Host-based signatures are often used by antivirus software, endpoint detection tools, and host-based intrusion detection systems (HIDS).
- Examples of Host-Based Signatures:
- Registry Changes: Certain types of malware modify system registries in Windows to maintain persistence (e.g., adding an entry to auto-start during boot). A host-based signature might look for specific changes to critical registry paths, such as those in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, which are commonly targeted by malware.
- Example: A registry key being added to ensure the malware starts every time the system boots.
- File Creation or Modification: Malware often creates or modifies files on a host system. Host-based signatures can detect unusual file creation (e.g., in system directories or hidden folders) or modifications to system files (e.g., changes to explorer.exe or other critical files).
- Example: A signature that detects the creation of specific malicious files in the Windows System32 directory.
- Malware Strings: Signatures can detect known strings or code fragments commonly found in malware samples. These signatures match certain sequences of bytes or text that are characteristic of a specific malware strain.
- Example: An antivirus solution might search for strings in binaries that are known to belong to a particular piece of malware, such as ransomware or a keylogger. Host-Based Signatures are commonly used by antivirus programs, host-based intrusion detection systems (HIDS), and other endpoint security solutions. These signatures work by matching known patterns of malicious behavior to detect threats at the device level.
- Registry Changes: Certain types of malware modify system registries in Windows to maintain persistence (e.g., adding an entry to auto-start during boot). A host-based signature might look for specific changes to critical registry paths, such as those in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, which are commonly targeted by malware.
2. Network-Based Signatures:
Network signatures detect malicious or abnormal activity in network traffic. They are typically used by network-based intrusion detection systems (NIDS), firewalls, or other network security tools to monitor for known attack patterns.
- Examples of Network-Based Signatures:
- DNS Record Checking: Some malware, particularly those involved in command and control (C2) operations, communicates with remote servers using domain names. A network-based signature might look for DNS queries that are attempting to resolve domain names linked to known malicious infrastructure, such as C2 servers.
- Example: A signature that detects DNS requests to domains associated with a botnet or malware family (e.g., domains used by a specific ransomware campaign for communication).
- Suspicious Network Traffic: Network-based signatures might monitor for traffic patterns associated with known attack techniques, such as scanning activity, or attempts to exploit vulnerabilities over the network.
- Example: A signature that flags large amounts of outbound traffic from a server to an unusual IP address as indicative of data exfiltration.
- Protocol Misuse: Network signatures can identify anomalies in how network protocols are used, such as deviations in packet structure or unexpected sequences, which could indicate an attack.
- Example: Detection of malformed HTTP requests designed to exploit vulnerabilities in web servers. Network-Based Signatures are utilized in systems like NIDS (Network Intrusion Detection Systems) or firewalls to monitor traffic between devices and across network boundaries, identifying threats based on known patterns of malicious network behavior.
- DNS Record Checking: Some malware, particularly those involved in command and control (C2) operations, communicates with remote servers using domain names. A network-based signature might look for DNS queries that are attempting to resolve domain names linked to known malicious infrastructure, such as C2 servers.
Summary:
- Host-Based Signatures detect malicious activity directly on the host, such as registry changes, file creation/modification, or known malware strings in binaries. Tools like antivirus software and HIDS typically use these signatures.
- Network-Based Signatures detect suspicious activity at the network level, such as checking DNS records for communications with C2 servers or detecting unusual network traffic. These signatures are used by NIDS, firewalls, and other network security tools.
Both types of signatures are essential for identifying and responding to threats, whether they manifest at the host or network level.