Protect Against Attack

Protect Against Attack

Stop theft of credit card and other biographical data

  • By Brian Laing
  • Feb 04, 2014

<p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news. </p> <p>Fast forward to 2014. </p> <p>The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.</p> <p><strong>Recent Breach Statistics</strong> </p> <p>Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware. </p> <p>Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States. </p> <p>While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence. </p> <p><strong>Weapons-Grade Malware Lying in Wait</strong> </p> <p>So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions. </p> <p>These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels. </p> <p>Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload. </p> <p><strong>New Options in Malware</strong> </p> <p>The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren. </p> <p>This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware. </p> <p>New forms of detection have come about to detect these new forms of attacks. </p> <p><strong>APT – A New Type of Security System</strong> </p> <p>Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology. </p> <p>Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors. </p> <p>Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal. </p> <p>Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies. </p> <p>In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.</p>The one thing consistent about malware attacks is that they continue to change quite a bit as time goes by. Initially, many attacks were unstructured and untargeted, indiscriminately honing in on large numbers of hosts in an attempt to find their vulnerabilities. The outcome of these initial attacks was often simple defacement or destruction of data with very few of the overall volume of these attacks covered in the news.

Fast forward to 2014.

The goals of attackers have shifted away from basic defacement (“smash-and-grab” approach of rapid infection) with a decided move towards stealth, driven by financial gain or data theft. This shift was generated from the theft of credit card and other biographical data, and has driven up the creation of new malware, the number of breaches and the total cost of a breach.

Recent Breach Statistics

Indications from the AV-TEST Institute (www.av-test.org) demonstrate where the amount of created malware increased to over 30 million in 2012. Currently, however, this institute registers more than 200,000 new malicious programs every day. This rapid increase in new malware has had a major impact on breaches, as well. Verizon research shows that 69 percent of breaches during 2011 incorporated malware.

Looking at the financial side of the equation, the 2013 Ponemon Institute shows companies paying as much as $199 per record with total costs as high as $5.4 million for a breach in the United States. Tracking from 2005 to present, Privacy Rights Clearinghouse shows nearly 622 million (621,955,664 to be exact) records compromised from 4,088 data breaches that were made public in the United States.

While the financial loss from handling record breaches is staggering, the additional loss from the fraudulent use of any breached data records is significant. LexisNexis shows $21 billion in losses due to identity fraud in 2012, adding to the trend that this is worse, not better. One only needs to look at the 2013 Thanksgiving Target breach as evidence.

Weapons-Grade Malware Lying in Wait

So far, we have only talked about information covering breaches that have become public and the creation of known malware. But, there is also a large amount of unknown, weapons-grade malware, elevated to a quality level that allows it to be used in advanced targeted attacks, lying in stealth-mode, waiting for instructions.

These new attacks are now highly targeted, using code that has been QA-tested to levels that rival many commercial applications. This level of QA has allowed attacks to now use multiple code modules that can be updated or swapped out via built-in, command-and-control channels.

Each module has its own task, for example, profiling systems to help in the identification of target systems that report back on potential targets. Other modules add evasion and protection capabilities. These modules can locate security or monitoring systems that can potentially detect, disable or feed them false information to allow the malware to remain undetected. If a module cannot handle a given defense, other modules can be loaded to breach profiled targets, collect targeted information or deliver some destructive payload.

New Options in Malware

The options are constantly expanding with examples such as Stuxnet, Duqu, Flame, and PlugX showing what can be done. Although not all unknown malware is as complex as a Stuxnet, it will still use various techniques of its more complex brethren.

This new malware is not just used by cybercriminals. A recent report shows that the NSA has 50,000 or more hosts where they have installed malicious software on systems belonging to telecommunications providers and others around the globe. This software has been designed to remain dormant until the NSA calls it into action through an established command-and-control channel. Once the sleeper agent is called-to-action, it can collect personal data and feed that information back to the NSA, be updated with new functionality or execute other tasks based on installed modules in the malware.

New forms of detection have come about to detect these new forms of attacks.

APT – A New Type of Security System

Moving away from the traditional signature matching of antivirus software that we all hopefully have installed, new protection systems must be able to protect against the quantity and voracity of unknown threats. This new type of security system, advanced protection system (APT) or advanced malware protection system, has been adopted faster than any other security technology.

Instead of focusing on the signatures of known malware, these new systems focus on behavior analysis to determine if a file is malicious. Each file is run in an advanced malware analysis system that opens the file and uses either operating system calls or CPU emulation to collect and then analyze the needed behaviors to determine maliciousness. While traditional systems will monitor basic behaviors such as windows registry changes, file activity and more, CPU emulation can detect advanced forms of evasion along with a broader set of behaviors.

Some basic behaviors that would typically indicate malicious behaviors include file and settings changes. The basic behaviors in this sample would normally be enough for this file to be suspicious while the additional, advanced behaviors of disabling Windows security center and updates, and system error reporting, two examples of evasive behaviors, place this file firmly in the malicious category. The attack finishes with trying to steal passwords. Currently, when Lastline analyzes a sample containing one of these three advanced behavior types, they are split between 13 percent disable, 31 percent evasion and 56 percent steal.

Enterprise Strategy Group (ESG) asked 198 security professionals at companies of at least 1,000 employees if their organizations had deployed network anti-malware technology; 52 percent were doing pilots, with 13 percent looking to deploy within the next 24 months. Not only are a high number of companies now deploying these solutions, 74 percent have increased their budget significantly or at least somewhat as a direct response to APTs over the past two years. Fifty-five percent of enterprises claimed that they have allocated budget dollars specifically for one of these new anti-malware technologies.

In today’s malware environment, the challenge is less about tackling the known malware with traditional security technologies and more about how to effectively protect against unknown advanced malware. The challenge and opportunity for security professionals will be on using practical technologies, like advanced malware analysis systems, that go beyond traditional sandboxing and specialized staff that are well-trained and equipped to defend against today’s bad guys.

This article originally appeared in the February 2014 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • Getting in Someone’s Face

    There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now

    • Industry Events
    • ISC West

  • Live From ISC West 2024: Post-Show Recap

    ISC West 2024 is complete. And from start to finish, the entire conference was a huge success with almost 30,000 people in attendance. Read Now

    • Industry Events
    • ISC West

  • ISC West 2024 is a Rousing Success

    The 2024 ISC West security tradeshow marked a pivotal moment in the industry, showcasing cutting-edge technology and innovative solutions to address evolving security challenges. Exhibitors left the event with a profound sense of satisfaction, as they witnessed a high level of engagement from attendees and forged valuable connections with potential clients and partners. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3