Written by Ross Clurman, Vice President of Marketing at Infocyte:
Let’s assume that you’ve already been hacked. Not just hacked, but infected with malware that has slipped past your firewalls and anti-virus defenses, and is now damaging endpoints across your organization. What’s more, this malware may have been residing in your infrastructure for weeks or even years, presenting an invisible, serious and persistent threat to your IT health.
These threats will never go away, of course. Cyber attackers and their targets are locked in a long-term arms race with no end in sight. The good news is that organizations are getting better at identifying and mitigating malware threats even as these threats continue to evolve.
The Current Threat Landscape
Even a cursory review of cyber threats in 2019 reveals a large and growing number of threats and vulnerabilities. To give just a few examples, we see ─
•Living-off-the-Land (LotL) attacks that allow attackers to hide inside legitimate processes
•Formjacking attacks occur when cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details. Just 10 stolen credit cards per compromised website can result in a yield of up to $2.2M per month, as each card fetches up to $45 in underground selling forums.
•Ransomware and cryptojacking. For the first time since 2013, ransomware declined, down 20 percent overall, but enterprises saw a gain of 12 percent.
•Endpoint devices. This vulnerability has increased significantly, with 64% of organizations suffering from zero-day attacks launched at their endpoints. Traditional endpoint security is succumbing to more attacks than it is blocking.
•Cloud-based environments. A single misconfigured cloud workload or storage instance could cost an organization millions or jeopardize its compliance posture. In 2018, more than 70 million records were stolen or leaked from poorly configured defenses.
•Malvertising, or malware introduced through malicious advertisements. Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertising posing as a fake Adobe Flash updater. WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit to spread via SMB protocol. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
The threat landscape is also shaped by a large number of regulations involving data privacy and data breach notification laws. These regulations include the Health Insurance Portability and Accountability Act (HIPAA), The Sarbanes Oxley Act, Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and the Gramm Leach Bliley Act (GLBA) among other acts and regulations.
New or changing compliance requirements add another level of complexity to threat issues. GDPR continues to grow in its scope and reach, businesses recognize that they need to increase their preparedness and develop data-driven regulatory compliance initiatives. The same applies to organizations impacted by the California Consumer Privacy Act (CCPA) and other regulatory measures.
Compliance is also complicated by the fact that different sets of laws can apply to one company and not another. Often the requirements are given in general terms, leaving the company to determine how to best satisfy the requirements. Companies need to assess which of the laws and acts apply to them. Then they need to organize their information security to address the boundaries put in place by the acts. This requires a set plan that outlines a consistent and effective way of identifying and dealing with threats.
How to Respond
The best defense is a good, effective offense. As we said, assume that you’ve already been hacked and that your defenses have failed. Look for a threat hunting tool that can scan your environment and inspect even thousands of endpoints per hour to expose hidden cyber threats and vulnerabilities in a timely fashion, including those that traditional, log-based tools that take much longer to generate reports. Speed is of the essence, threats should be identified in hours or days rather than weeks. You also need a tool to verify that endpoints are ‘clean,’ with scans conducted on a periodic basis or run when needed.
As for traditional malware solutions on the market, they include Endpoint Detection and Response (EDR) platforms, Antivirus (AV) software, or User/Entity Behavior Analytics (UEBA/UBA) tools. However these approaches sometimes provide limited defenses, or rely on data from limited defenses. For example, some AV engines and some EDR platforms only monitor the door to your memory in order to prevent or detect the attack in real-time, but they don’t actually analyze memory. The risks inherent in this approach are too important to ignore.
UBA/UEBA solutions assume that all the data required for insight or intelligence is available, and that all you have to do is to analyze that huge volume of information. As a result, defenses based on a UBA/UEBA approach are the very ones that will allow some malware to breach the organization without being detected.
What’s undeniable is that many traditional malware detection solutions require a significant investment in terms of outside experts to use them productively or specialized training for end users.
Deep, analytic capabilities are essential to address malware threats that other solutions might overlook. Several technologies are available.
Forensic State Analysis (FSA) is concerned primarily with assessing the health of an endpoint by validating what is running in memory at a given point in time. Properly designed, FSA uses an automated approach to post-breach detection that assumes devices are already compromised and seeks to validate every endpoint as thoroughly as possible. The automation inherent in FSA enables users to effectively deploy rapidly, dynamically, and at scale.
FSA does not rely on a host operating system to report real-time events. Instead, the solution examines executable memory space to reconstruct what is happening and collect anything of interest ─ such as injected memory, forensic artifacts, executable programs, modules, hooks and more. This data is critical because if the operating system is compromised, any data gathered from that operating system will likely be compromised as well.
Malware solutions should also support compromise assessments and root cause analysis. Compromise assessments need to quickly verify whether a network has been breached and quickly identify the presence of known or zero day malware and persistent threats — active or dormant — that have evaded your existing cyber security defenses.
A root cause analysis (RCA) tool can help IR teams trace the source of suspicious activity or identified threats across their environment, creating a timeline that includes events like file creation, file modification, process execution, and user login events. Incident responders will learn how the attack started, where, and when.
Security in the Cloud
The cloud represents its own challenges in terms of malware threats. Issues involve both cloud providers ─ providing software, platforms, or infrastructure-as-a-service via the cloud ─ and their customers who host applications or store data on the cloud.
A number of malware solutions describe themselves as “cloud-based,” meaning that they serve their clients with technology that has one or more components operating on the cloud. However, as more organizations move their assets to the cloud, what is needed is a solution that can secure these client assets in a cloud environment just as the clients secure their assets onsite.
A Holistic Approach
Malware is a hard-to-detect and fast-moving target, with new varieties emerging almost on a daily basis. No one technology solution addresses all the threats. We recommend a holistic approach involving traditional firewalls and antivirus defenses.
Equally important, these defenses should be backed by solutions specifically designed for proactively hunting, detecting, analyzing and mitigating threats on a periodic basis, whether onsite or in the cloud. In a very real sense, you need to know whether you can be hacked but also whether you have been breached.
Malware is here to stay, but the right technology can give you a decided advantage in the cyber battles between bad actors and organizations like yours.