Protect Against Attack

Protect Against Attack

Stop theft of credit card and other biographical data

  • By Brian Laing
  • Feb 04, 2014

<p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news. </p> <p>Fast forward to 2014. </p> <p>The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.</p> <p><strong>Recent Breach Statistics</strong> </p> <p>Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware. </p> <p>Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States. </p> <p>While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence. </p> <p><strong>Weapons-Grade Malware Lying in Wait</strong> </p> <p>So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions. </p> <p>These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels. </p> <p>Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload. </p> <p><strong>New Options in Malware</strong> </p> <p>The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren. </p> <p>This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware. </p> <p>New forms of detection have come about to detect these new forms of attacks. </p> <p><strong>APT – A New Type of Security System</strong> </p> <p>Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology. </p> <p>Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors. </p> <p>Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal. </p> <p>Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies. </p> <p>In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.</p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news.

Fast forward to 2014.

The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.

Recent Breach Statistics

Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware.

Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States.

While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence.

Weapons-Grade Malware Lying in Wait

So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions.

These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels.

Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload.

New Options in Malware

The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren.

This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware.

New forms of detection have come about to detect these new forms of attacks.

APT – A New Type of Security System

Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology.

Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors.

Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal.

Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies.

In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.

This article originally appeared in the February 2014 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3