Computing Security

Computing Security

Combating malware means going way beyond locating suspicious programs on servers and workstations, and detecting and interfering with the use of malware on the network

All too often, many organisations make the mistake of treating malware infections as a series of independent occurrences. Worst-case scenario? A malicious program is discovered and IT simply cleans it up or rebuilds the affected host… and then moves on with routine operational tasks. That is just not good enough for any business that wants to stay secure. Such an ad hoc approach fails to protect an enterprise from the increasingly aggressive and innovative attack tactics now employed by malware authors. It is their stock in trade to design malware that simply bypasses defences, evade detection and resist the most stringent efforts to remove it. As Stuart Brown, principal solutions architect at Redcentric, points out, a new approach is required that prevents malware entering your network or at the very least enables you to detect it at the point of entry.

“People call this the ‘kill chain’ of an advanced persistent threat (APT) and you need to take a holistic approach to security defence, rather than a series of discreet solutions,” he advises. “For security technology to work, it needs to cover three essential elements: it needs to be able to detect malware entering the organisation; it needs to detect malware traffic traversing across the internal network; and then it needs to detect malware on the way out.

“In the past, companies have simply added appliances to the network that deal with each of these in isolation,” he adds. “It’s likely any one organisation will have a combination of firewalls, virus protection and intrusion detection amongst other security solutions. For many, the answer to a raised threat has been to simply stick another security appliance on the network.

These traditional approaches, however, have become limited as malware becomes more sophisticated. “First, each appliance sits in isolation. They’re typically provided by different manufacturers and rarely are they capable of integrating. This limits the visibility and control that the IT team has over what is really happening on their network. This lack of visibility often results in the IT team having to check each individual log or report of each device to identify if there’s a problem.”

Some appliances also provide a blanket approach that doesn’t allow for the nuances of malware. “For example, most network firewalls are traditional port and protocol based. This means that the firewall is programmed to let in a certain type of traffic that comes via a port – let’s say https (encrypted) traffic via port 443. That means all traffic via port 443 is allowed in – whether it’s good or bad. The firewall doesn’t check traffic to see what it is. It’s just as likely to be a piece of malware dressed up as an https request as it is to be genuine https traffic. And as malware has moved away from social applications and is more often embedded in business critical applications, it’s now more difficult to protect against,” Brown points out.

What we need in the fight against the kill chain of APT is a new capability: ‘loop protection’. This takes all of the tools available to a security team – from firewalls, malware & APT detection, real-time analysis (sandboxing), endpoint protection, correlated log analysis and others – and combines them. This type of closed loop protection is available through next generation firewalls (NGFW). This involves a single box that can detect all traffic, identify if it’s encrypted or not, what port it comes through using what protocol and scan – in real time – for malware and APT. If it’s concerned about a piece of traffic, it then runs it through a virtual machine to see what it does and its impact. This is known as sandboxing.

“If it identifies the traffic as malware, it will apply an automated response, based on a set of rules that you’ve pre-determined. This ‘spot, prove, react, prompt’ reaction all happens in real time. This means you’re protected before you know that there’s an issue.”

“No organisation should rely solely on a single vendor solution. The reality is that each vendor may do well in a particular aspect but no single technology or product can ever offer a completely bulletproof solution to every threat,” comments David Peters, technical director for ANSecurity. “This is a more prevalent issue now that attackers are using exploits designed to by-pass detection methods used by specific vendors. We always advise clients to think about multiple layers of complementary solutions that overlap slightly to provide a belt and braces approach.

“Simply having a security product deployed is not the end of the story. In many instances, when we are called in as security consultants post breach, our analysis uncovers a specific security product that may have been improperly configured, unpatched or simply not evolved with changes in the environment exposing a vulnerability that has been exploited. We recommend that organisations take an active approach with regular security system, training and process evaluations to keep pace with internal changes and external threats.”

Since the first mass-market malware, the security industry has been in an “ongoing arms race” between attackers and defenders, Peters continues. “The types of attacks, the scope and scale of vulnerabilities, corresponding exploits and even distribution methods have kept pace with technological progressing. This cycle is unfortunately never ending and malware for profit has grown into a multibillion dollar industry. New approaches to delivering malware whilst evading detection are constantly evolving, along with the malware itself. Organisations need to continually re-evaluate sources of malware, a process that can been streamlined with certain security tools, but administrators need to keep up to date with new threat vectors and routinely test that the defences are set up to deal with the next wave of attacks.”

John Wilson, field CTO, Agari, points to how, in the last five years, we’ve become far too familiar with the social engineering tactics and spam messages that hackers are using to spoof a company’s domain and attempting to infect our computers with malware. “Advances in phishing and social engineering techniques that carry malware have come on leaps and bounds,” he says. “Phishing attempts are no longer primitive and full of errors; they have become sophisticated and believable, making it almost impossible to identify that something is amiss. Email-borne malware attacks can vary greatly in form and content, with the malware either included as an attachment or embedded in a link. Malware distributors often keep the content as minimal as possible, trying to drive a click on the attachment or to their URL.”

Brand-conscious organisations that want to use email to communicate with consumers need to ensure it is a secure channel, so that their brand is not used to trick consumers into infecting their devices with malware. “Companies must take the proper steps to prevent phishing emails supposedly coming from their brand, containing malicious links or attachments. Not only do phishing emails have a detrimental effect on the recipient, but also on the brand that the email has come from, whose reputation will become tarnished in the process,” states Wilson.