Protect Against Attack

Protect Against Attack

Stop theft of credit card and other biographical data

  • By Brian Laing
  • Feb 04, 2014

<p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news. </p> <p>Fast forward to 2014. </p> <p>The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.</p> <p><strong>Recent Breach Statistics</strong> </p> <p>Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware. </p> <p>Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States. </p> <p>While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence. </p> <p><strong>Weapons-Grade Malware Lying in Wait</strong> </p> <p>So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions. </p> <p>These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels. </p> <p>Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload. </p> <p><strong>New Options in Malware</strong> </p> <p>The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren. </p> <p>This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware. </p> <p>New forms of detection have come about to detect these new forms of attacks. </p> <p><strong>APT – A New Type of Security System</strong> </p> <p>Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology. </p> <p>Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors. </p> <p>Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal. </p> <p>Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies. </p> <p>In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.</p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news.

Fast forward to 2014.

The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.

Recent Breach Statistics

Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware.

Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States.

While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence.

Weapons-Grade Malware Lying in Wait

So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions.

These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels.

Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload.

New Options in Malware

The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren.

This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware.

New forms of detection have come about to detect these new forms of attacks.

APT – A New Type of Security System

Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology.

Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors.

Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal.

Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies.

In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.

This article originally appeared in the February 2014 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • New Research Shows a Continuing Increase in Ransomware Victims

    GuidePoint Security recently announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q1 2024 Ransomware Report. In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. Read Now

  • OpenAI's GPT-4 Is Capable of Autonomously Exploiting Zero-Day Vulnerabilities

    According to a new study from four computer scientists at the University of Illinois Urbana-Champaign, OpenAI’s paid chatbot, GPT-4, is capable of autonomously exploiting zero-day vulnerabilities without any human assistance. Read Now

  • Getting in Someone’s Face

    There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3