Security Terms Explained: A Primer on Polymorphism
During a recent client presentation, a member of our sales team (no doubt caught up in the excitement
common to security professionals) used the term “polymorphism.” The client, who was unfamiliar with
the term, could only sit in confusion until the sales rep took a breath. The resulting interaction quickly
taught us two things: 1. Be mindful of using jargon and overly technical terminology in client discussions
(a.k.a., know your audience), and 2. Take the appropriate opportunities to familiarize your audience
with new and emerging terms, attack methods, and defensive strategies.
Derived from the Greek "poly" (many) and "morphe" (form), polymorphism is used in biology to
describe variations within a given species of animal. In cybersecurity, however, polymorphic simply
describes different variations of the same basic attack. For example, every attack has a payload, or a
means to deliver malicious data. These can come in any number of forms: text message, email, image,
executable files, etc. Every attack payload has some form of identifiable information—origin, sender,
even the literal content being delivered—embedded right in the payload.
And though they have existed for a few decades, over the past several years polymorphic attacks have
swelled in volume and capacity for damage. In fact, according to Webroot, more than 94 percent of
malicious executables involve polymorphic malware.1
Why email is such an effective courier of attacks
Email is commonly and benignly used as a payload to deliver data. Every email has metadata (a set of
data about data) associated with it, such as the From / To fields, a return path parameter, the subject
line, and so on.
Figure 1. Email and Email Metadata
Historically, attackers take a normal email message, modify some aspects of the metadata, and send it
to a potential victim. Traditional security tools first require a method to find the compromised email,
after which the modified metadata must be identified, followed by writing a rule to describe that
metadata, and only then will the tool start filtering based on that rule. This approach is problematic.
First, someone must investigate and analyze the email, assess what was changed, determine how to
write the necessary rule, and define that rule in their security tool. This process takes a significant
amount of time, which is no longer realistic in today’s fast-moving world.
Today, attackers can easily take advantage of organizations because they exploit the delay between the
time their email is sent, and the time action is taken against it. They do this by developing and
implementing automation tools to generate “many forms” of a given attack. In other words, attackers
create a huge number of subtle variations of the same basic attack—a polymorphic attack—and
overwhelm organizations with the speed and volume of one attack type or another.
Figure 2. Email and Malicious Email Metadata
The value of a thorough and candid analyst
At IRONSCALES, our goal is to stop the attackers before they can damage your business. We strive to
arm your teams with the latest knowledge, tools, and education to make that a reality. This was the
impetus behind the development of our algorithm, Themis.
Named for the Greek goddess of good counsel, Themis will review the historical mail in your
environment, amassing deep knowledge about your users, how they are organized, who they interact
with, and how/when they communicate. Next, Themis will examine every message your organization
receives. She will analyze the metadata for those messages and then go even deeper, seeking any
variations in your team’s communication patterns. For example, is it normal for your CEO to engage with
a purchaser who is several levels down on the organizational structure? Would it make sense if your CFO
suddenly began using words incorrectly and ignoring basic grammar? The answers will depend on the
organization, the relationships, and the individuals—and only after deep analysis will they be revealed.
Following that analysis, Themis will rate each message. If a given message is rated beyond a set
threshold, she will immediately quarantine it, summarize her findings, alert the security operations
team, and ask them to make a final determination. Once that’s been done, Themis gets stronger and
smarter. She applies this newly gained knowledge to every company she protects, instantly. Armed with
this information, security teams can stop searching and start deciding where attacks are coming from,
who is being targeted, and how best to direct their resources.
The bottom line is simple: Attackers using polymorphic attacks in huge volumes can now be stopped
thanks to this technology that analyzes messages in totality and within the context of how your team
communicates. Learn more about Themis, then request a demo.