‘Malware’ has come a long way. From merely annoyance applications coded by bored engineering students for notoriety all the way to professionally developed stealth applications for financial gains and stealing state secrets. According to Verizon’s 2012 Data Breach Investigations Report, 69% of the breaches were attributed to malware infections. The business impact of such Advanced Malware is in the billions of dollars and the massive loss of intellectual property. The growing complexity of the malware and the risks it poses to business assets is a universal concern of Risk managers all over the world.
To combat the threat of Advanced Malware, we need to think beyond signature-based detection tools like antivirus or malicious network traffic detection tools like IDS/IPS. No vendor has enough resources to create signatures for every new malware or malicious traffic pattern that exists in the wild. This is not to say that those tools are extinct; they are essential for ‘Defense in Depth’ but they can’t overcome an organization’s malware threat. There is a growing need for Threat Intelligence to combat Advanced Malware.
Having spent the last six years in the trenches i.e. conducting forensic investigations for high profile data breaches, I can safely say that Forensics is a lot easier when you have intelligence on the attackers; e.g. when investigating Advanced Persistent Threats (APTs), it is important to know what types of tools and artifacts are left behind by threat actors on the network and disk. Likewise, when responding to cardholder data breaches, one needs to understand how the threat actors are able to steal magnetic stripe data despite the victims using a PA-DSS Validated Payment Application. The attackers are successful because they study the victim and execute a targeted attack. The investigation techniques have evolved as well, now that more and more investigators are employing Memory Analysis and Timeline Analysis. However, it is equally important to have the intelligence on the potential attackers’ behavior.
Footprints of an Attack: Good intelligence can provide an effective pivot point for the investigation. To be specific, while investigating an organization likely to be a victim of an APT, if you see any systems calling out to todayusa.org, you can be sure that those systems are infected by malware based on the intel shared by Mandiant on APT1 threat actor; this can help you select the systems to analyze further in a large enterprise. Similarly, finding “msaudit.dll” in C:\Windows\System32 folder on a system investigated for Point of Sale (POS) breach investigation can tell you that the system is being used for memory parsing according to Visa’s Intel on Point of Sale (POS) malware.
If the Intelligence can be used for post mortem analysis, it should also be incorporated as a component of an overall Malware Defense Strategy. The Next-Generation network security devices will continue to sell but I can also see a strong demand for Cyber Intelligence Services. A paradigm shift is needed to combat these threats. Many Security Experts have admitted in recent times that it’s hard to keep the cyber criminals out hence the next best thing we can do is to detect the breach quickly to minimize the impact to business via an effective Incident Response Plan. The advantage of detecting the breach yourself is that you can then proceed with the investigation at your own pace rather than being dictated by 3rd parties and under continuous consumer/public scrutiny.
Organized cyber criminals are relentless and malware complexity will continue to evolve. We can combat the Advanced Malware with an effective Malware Defense Strategy utilizing available Threat Intelligence. Threat Intelligence feeds can be purchased but if you are on a budget, you can take advantage of the free reports shared by various IT Security firms. Our challenge is that we are fighting military class malware with civilian defense. It’s time to proactively evaluate the threats to your organization and strategize accordingly.
About the author
Jibran Ilyas is the Incident Response Team Lead at HALOCK Security Labs. He has investigated some of the world’s largest data breaches and devised Malware Defense strategies for principal clients. Jibran has presented at several global security conferences including DEFCON, Black Hat, SecTor and SOURCE Barcelona, in the area of Computer Forensics and Cyber Crime. Jibran has been the co-author of Global Security Intelligence reports and has trained USSS and other Law Enforcement agencies on Incident Response and Forensics.