Holistic Security
Security teams report grave concern over data breaches
- By Ryan Sherstobitoff
- Jun 15, 2009
In the wake of undiscovered data breaches and subsequent public exposure, a layered approach to security is becoming even more important for protecting a company’s critical assets.
Despite the increase in the number of data breaches via illicit means, internal controls are falling short of expectations and assurances that critical assets remain uncompromised. According to the Identity Theft Resource Center, 336 breaches have been reported in 2008 alone, putting the overall number at 69 percent greater than this time last year. This is a grave concern for security teams, especially given the fact that a lack of dedicated resources exist to combat and revert this trend.
Hidden Threats from Within
The variable of hidden and unidentified infections will almost certainly introduce a lack of awareness and degree of concern when it comes to the protection of sensitive information and adherence to regulations.
More malware on the market today is designed to target specific platforms and the users that interact with them. For example, Banker Trojans are an increasing concern for the financial and e-commerce communities because of the pervasive ways in which they obtain personal information. This type of malware targets specific payment or banking platforms, advertently stealing credentials and fueling a rise in financial and economic fraud.
According to a recent online fraud report by Cybersource, annual revenue loss due to online fraud in 2007 amounted to $3.6 billion and the trend is expected to be consistent beyond 2008. Online fraud and the use of targeted phishing campaigns have evolved in parallel and are expected to steadily increase as well. These tactics have become popular among the hacker elite, who have taken an evolutionary step forward in sophistication and complexity.
What’s more of a concern is when tailored malware is involved in a targeted attack against a corporation’s intellectual property. These threats will most often stay under the radar for extended periods of time, remaining undetected by resident security software until it’s too late. The No. 1 reason why these undiscovered or hidden threats exist is the limited distribution and complexities involved with the attack, such as always targeting a few key people, resulting in malcode that researchers never see nor analyze, and therefore, no signature defense is created.
Targeted Phishing Campaigns
Targeted phishing scams against corporate executives, also known as whale phishing, have recently been seen as a means of introducing malicious code into the environment. As the target is often intellectual property, financial records and personal employee data, these attacks are well thought out to ensure the highest possible success rate.
According to MessageLabs’s recent quarterly phishing and spam report, an increasing number of smaller state-level banks and credit unions continue to receive attention from hackers. In addition, targeted attacks have gone from what used to be two per day to more than 900 in less than a 24-hour period.
These attacks are using a wide variety of social engineering tactics that consist of fake subpoenas, tax complaints and many other types of bait used to lure victims into executing an attached Trojan. Spear phishing tactics have begun to replace generic forms of phishing as users recognize that they are not legitimate. When targeting a company, hackers will develop a phishing campaign designed specifically for that company. They will research and obtain information concerning their targets to ensure that the message sent appears credible. In this case, even the most educated user may not realize the message is phony and should be deleted, making the chances for success much higher.
Subsequently, the payload delivered via these messages will look for confidential information and will leak it to an external third party through an encrypted back channel to a crime-ware server hosted by a cyber-gang.
Anti Virus Cloaking Techniques
To further disguise their attacks, hackers have designed malware to avoid exhibiting traditional bad behavior usually flagged by behavioral heuristics. In other words, they are using the following cloaking techniques to hide the presence of an attack:
- Custom runtime packers.
- Server-side polymorphism or Crimeware-as-a-Service.
- Kernel mode root-kits.
- Sophisticated memory subversion.
A major risk to security is the emergence of server-side polymorphism or Crimeware-as-a-Service, in which the polymorphic engine does not reside within the virus code itself, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume and PCs that are part of a botnet -- a specific bot variant that can mutate remotely via a command over HTTP. This is called crimeware-as-a-service because the actual viral code resides in the cloud -- similar to a Software-as-a-Service platform. In other words, CaaS provides malware-on-demand to the infected host.
This methodology has proven to be harmfully effective and difficult to counteract when approaching it with traditional anti-malware models. Server-side polymorphism is hard to detect because the transformation functions -- the routines used to change the signature of the code -- are not visible to the virus analyst. The actual algorithms or techniques that are involved in this process cannot be studied to the degree necessary to create an effective vaccination. Botnet communication is often encrypted as a defense mechanism to prevent the easy discovery of a command-and-control server that dishes out the mutated malware. Attacks using server-side polymorphism often succeed in infecting their targets while flying under the radar.
The net effect results in potential data exposure via malcode waiting to happen that often goes unseen. Analyzing the data points further shows that 73 percent of the breaches documented were conducted by outsiders with a 31 percent ratio of malcode involved, according to a study published by the Verizon Business Risk team. When security solutions designed to detect and prevent these threats are not responding and the malware goes undetected for months, a serious security breach is possible and immediate action should be taken to remedy the situation.
With the avalanche of new threats seen on a daily basis, and the high degree of undetected infections by resident software, end users are encountering “The Silent Epidemic.” This is partly due to the deliberate strategies used by hackers to remain invisible for as long as possible, leaving resident security software in the dust. On average, there are more than 4,000 new malware strains released everyday crippling the capabilities that antivirus labs have in place to respond efficiently.
Furthermore, the different variations of malware have increased and are expected to grow during the next five to 10 years, leading to many more data breaches and a host of other high-profile security incidents.
Protecting the Networks
The most important thing to remember when creating a secure virtual system is to take a holistic approach. Technologies such as system hardening, regular behavioral analysis, proactive end-point security, IPS firewall and heuristics technologies are essential for maintaining a fortified virtual environment. Included below are some tips on how to ensure you are meeting all of these requirements.
When designing what controls should be implemented and where, it’s necessary to harden the operating system on both the host and virtual machines from common run-of-the mill exploitation. It’s also critical to ensure that patches remain up-to-date. System hardening -- locking down the operating system -- should be a mandatory requirement because it will eliminate most malware that tends to exploit the zero-day vulnerabilities that exist in common application platforms. For example, it’s not necessary that Adobe Acrobat spawns a command shell or executes any other arbitrary system command.
It’s also absolutely essential to conduct regular security assessments that include detecting both vulnerabilities and active threats. If your servers run Web-based applications, check them to ensure that exploitation such as SQL injections and input validation attacks cannot occur.
Ensure proactive end-point security with herd intelligence. The best way to ensure you are proactively capturing as much malicious data as possible is to employ a security system that uses herd intelligence, also known as collective intelligence. This innovative SaaS platform automates and enhances the malware collection, classification and vaccination process by gathering detections from the Internet community at large, rather than locally. By reducing the manual effort required to process the thousands of samples received daily, herd intelligence increases the capacity and visibility that the A/V lab has by deploying technologies within the cloud.
The Yankee Group has estimated that herd intelligence and other cloud-based technologies will quickly become mainstream. Andrew Jaquith, former security and risk management program manager for the Yankee Group, recommends that businesses “make herd intelligence central to their long-term survival strategies.” This technology allows companies to expand the number of malware samples they collect to 15,000 a day, Jaquith said.
“Antivirus companies that are not taking steps today to plan for malware volumes 100 times their current load are not thinking hard enough about the problem,” Jaquith wrote in an article titled “Herd Intelligence will Reshape the Antimalware Landscape.”
It’s imperative that system operators take a proactive approach when developing a security plan for a virtual network, because the rate at which new malware emerges outweighs the capabilities of antimalware labs to keep up and process new threats. The best end-point security solution should include more than just signature-based detection for malicious code.
A Layered Approach
All of these technologies -- system hardening, behavioral analysis, behavioral blocking, herd intelligence, IPS firewall and heuristics -- if used in a standalone fashion, won’t protect from advanced threats, but in combination, will provide a robust layer of defense against sophisticated attacks.
If corporations do not take a holistic approach to end-point security, server-side polymorphism and other stealth tactics will continue to open the door to all sorts of problems, from the increase in targeted attacks to undisclosed data breaches. By using the most effective means of stopping hackers and preventing the onslaught of malware, users can rest assured that the valued information and assets will remain protected.
About the Author
Ryan Sherstobitoff is the chief corporate evangelist at Panda Security.