Security Terms Explained:
A Primer on Polymorphism

Security Terms Explained: A Primer on Polymorphism


During a recent client presentation, a member of our sales team (no doubt caught up in the excitement

common to security professionals) used the term “polymorphism.” The client, who was unfamiliar with

the term, could only sit in confusion until the sales rep took a breath. The resulting interaction quickly

taught us two things: 1. Be mindful of using jargon and overly technical terminology in client discussions

(a.k.a., know your audience), and 2. Take the appropriate opportunities to familiarize your audience

with new and emerging terms, attack methods, and defensive strategies.


Derived from the Greek "poly" (many) and "morphe" (form), polymorphism is used in biology to

describe variations within a given species of animal. In cybersecurity, however, polymorphic simply

describes different variations of the same basic attack. For example, every attack has a payload, or a

means to deliver malicious data. These can come in any number of forms: text message, email, image,

executable files, etc. Every attack payload has some form of identifiable information—origin, sender,

even the literal content being delivered—embedded right in the payload.


And though they have existed for a few decades, over the past several years polymorphic attacks have

swelled in volume and capacity for damage. In fact, according to Webroot, more than 94 percent of

malicious executables involve polymorphic malware.1


Why email is such an effective courier of attacks


Email is commonly and benignly used as a payload to deliver data. Every email has metadata (a set of

data about data) associated with it, such as the From / To fields, a return path parameter, the subject

line, and so on.


Polymorphic describes different variations of the same basic attack

Figure 1. Email and Email Metadata


Historically, attackers take a normal email message, modify some aspects of the metadata, and send it

to a potential victim. Traditional security tools first require a method to find the compromised email,

after which the modified metadata must be identified, followed by writing a rule to describe that

metadata, and only then will the tool start filtering based on that rule. This approach is problematic.

First, someone must investigate and analyze the email, assess what was changed, determine how to

write the necessary rule, and define that rule in their security tool. This process takes a significant

amount of time, which is no longer realistic in today’s fast-moving world.


Today, attackers can easily take advantage of organizations because they exploit the delay between the

time their email is sent, and the time action is taken against it. They do this by developing and

implementing automation tools to generate “many forms” of a given attack. In other words, attackers

create a huge number of subtle variations of the same basic attack—a polymorphic attack—and

overwhelm organizations with the speed and volume of one attack type or another.


Polymorphic describes different variations of the same basic attack

Figure 2. Email and Malicious Email Metadata


The value of a thorough and candid analyst


At IRONSCALES, our goal is to stop the attackers before they can damage your business. We strive to

arm your teams with the latest knowledge, tools, and education to make that a reality. This was the

impetus behind the development of our algorithm, Themis.


Named for the Greek goddess of good counsel, Themis will review the historical mail in your

environment, amassing deep knowledge about your users, how they are organized, who they interact

with, and how/when they communicate. Next, Themis will examine every message your organization

receives. She will analyze the metadata for those messages and then go even deeper, seeking any

variations in your team’s communication patterns. For example, is it normal for your CEO to engage with

a purchaser who is several levels down on the organizational structure? Would it make sense if your CFO

suddenly began using words incorrectly and ignoring basic grammar? The answers will depend on the

organization, the relationships, and the individuals—and only after deep analysis will they be revealed.


Following that analysis, Themis will rate each message. If a given message is rated beyond a set

threshold, she will immediately quarantine it, summarize her findings, alert the security operations



team, and ask them to make a final determination. Once that’s been done, Themis gets stronger and

smarter. She applies this newly gained knowledge to every company she protects, instantly. Armed with

this information, security teams can stop searching and start deciding where attacks are coming from,

who is being targeted, and how best to direct their resources.


The bottom line is simple: Attackers using polymorphic attacks in huge volumes can now be stopped

thanks to this technology that analyzes messages in totality and within the context of how your team

communicates. Learn more about Themis, then request a demo.