Protect Against Attack

Protect Against Attack

Stop theft of credit card and other biographical data

<p>The one thing consistent about malware attacks   is that they continue to change quite   a bit as time goes by. Initially, many attacks   were unstructured and untargeted, indiscriminately   honing in on large numbers of   hosts in an attempt to find their vulnerabilities.   The outcome of these initial attacks was often simple   defacement or destruction of data with very few of the overall   volume of these attacks covered in the news.   </p> <p>Fast forward to 2014.   </p> <p>The goals of attackers have shifted away from basic defacement   (“smash-and-grab” approach of rapid infection) with a   decided move towards stealth, driven by financial gain or data   theft. This shift was generated from the theft of credit card and   other biographical data, and has driven up the creation of new   malware, the number of breaches and the total cost of a breach.</p> <p><strong>Recent Breach Statistics</strong> </p> <p>Indications from the AV-TEST Institute (www.av-test.org) demonstrate   where the amount of created malware increased to over   30 million in 2012. Currently, however, this institute registers   more than 200,000 new malicious programs every day. This rapid   increase in new malware has had a major impact on breaches, as   well. Verizon research shows that 69 percent of breaches during   2011 incorporated malware. </p> <p>Looking at the financial side of the equation, the 2013   Ponemon Institute shows companies paying as much as $199   per record with total costs as high as $5.4 million for a breach in   the United States. Tracking from 2005 to present, Privacy Rights   Clearinghouse shows nearly 622 million (621,955,664 to be exact)   records compromised from 4,088 data breaches that were made   public in the United States. </p> <p>While the financial loss from handling record breaches is   staggering, the additional loss from the fraudulent use of any   breached data records is significant. LexisNexis shows $21 billion   in losses due to identity fraud in 2012, adding to the trend   that this is worse, not better. One only needs to look at the 2013   Thanksgiving Target breach as evidence. </p> <p><strong>Weapons-Grade Malware Lying in Wait</strong> </p> <p>So far, we have only talked about information covering breaches   that have become public and the creation of known malware.   But, there is also a large amount of unknown, weapons-grade   malware, elevated to a quality level that allows it to be used in   advanced targeted attacks, lying in stealth-mode, waiting for   instructions. </p> <p>These new attacks are now highly targeted, using code that   has been QA-tested to levels that rival many commercial applications.   This level of QA has allowed attacks to now use multiple   code modules that can be updated or swapped out via built-in,   command-and-control channels. </p> <p>Each module has its own task, for example, profiling systems   to help in the identification of target systems that report back   on potential targets. Other modules add evasion and protection   capabilities. These modules can locate security or monitoring systems   that can potentially detect, disable or feed them false information   to allow the malware to remain undetected. If a module   cannot handle a given defense, other modules can be loaded to   breach profiled targets, collect targeted information or deliver   some destructive payload. </p> <p><strong>New Options in Malware</strong> </p> <p>The options are constantly expanding with examples such as   Stuxnet, Duqu, Flame, and PlugX showing what can be done.   Although not all unknown malware is as complex as a Stuxnet,   it will still use various techniques of its more complex brethren. </p> <p>This new malware is not just used by cybercriminals. A recent   report shows that the NSA has 50,000 or more hosts where   they have installed malicious software on systems belonging to   telecommunications providers and others around the globe. This   software has been designed to remain dormant until the NSA   calls it into action through an established command-and-control   channel. Once the sleeper agent is called-to-action, it can collect   personal data and feed that information back to the NSA, be   updated with new functionality or execute other tasks based on   installed modules in the malware. </p> <p>New forms of detection have come about to detect these new   forms of attacks. </p> <p><strong>APT – A New Type of Security System</strong> </p> <p>Moving away from the traditional signature matching of antivirus   software that we all hopefully have installed, new protection   systems must be able to protect against the quantity and voracity   of unknown threats. This new type of security system, advanced   protection system (APT) or advanced malware protection system,   has been adopted faster than any other security technology. </p> <p>Instead of focusing on the signatures of known malware, these   new systems focus on behavior analysis to determine if a file is   malicious. Each file is run in an advanced malware analysis system   that opens the file and uses either operating system calls or   CPU emulation to collect and then analyze the needed behaviors   to determine maliciousness. While traditional systems will monitor   basic behaviors such as windows registry changes, file activity   and more, CPU emulation can detect advanced forms of evasion   along with a broader set of behaviors. </p> <p>Some basic behaviors that would typically indicate malicious   behaviors include file and settings changes. The basic behaviors   in this sample would normally be enough for this file to be suspicious   while the additional, advanced behaviors of disabling Windows   security center and updates, and system error reporting,   two examples of evasive behaviors, place this file firmly in the   malicious category. The attack finishes with trying to steal passwords.   Currently, when Lastline analyzes a sample containing   one of these three advanced behavior types, they are split between   13 percent disable, 31 percent evasion and 56 percent steal. </p> <p>Enterprise Strategy Group (ESG) asked 198 security professionals   at companies of at least 1,000 employees if their organizations   had deployed network anti-malware technology; 52 percent   were doing pilots, with 13 percent looking to deploy within the   next 24 months. Not only are a high number of companies now   deploying these solutions, 74 percent have increased their budget   significantly or at least somewhat as a direct response to APTs   over the past two years. Fifty-five percent of enterprises claimed   that they have allocated budget dollars specifically for one of   these new anti-malware technologies. </p> <p>In today’s malware environment, the challenge is less about   tackling the known malware with traditional security technologies   and more about how to effectively protect against unknown   advanced malware. The challenge and opportunity for security   professionals will be on using practical technologies, like advanced   malware analysis systems, that go beyond traditional sandboxing   and specialized staff that are well-trained and equipped to defend against today’s bad guys.</p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news.

Fast forward to 2014.

The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.

Recent Breach Statistics

Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware.

Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States.

While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence.

Weapons-Grade Malware Lying in Wait

So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions.

These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels.

Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload.

New Options in Malware

The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren.

This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware.

New forms of detection have come about to detect these new forms of attacks.

APT – A New Type of Security System

Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology.

Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors.

Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal.

Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies.

In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.

This article originally appeared in the February 2014 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus
  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety