10 months ago


malware MALWARE

malware MALWARE MALEVOLENCE THE AVERAGE BREACH RESULTS IN A COST OF $158 PER STOLEN RECORD AND IS OFTEN NOT DETECTED FOR AN AVERAGE OF 229 DAYS, IT IS ESTIMATED. WHERE SHOULD THE FIGHTBACK AGAINST MALWARE BEGIN? Signature and behavioural-based antimalware are widely regarded as no match for next-generation adversaries who utilise mutating hashes, sophisticated obfuscation mechanisms, self-propagating malware and intelligent malware components. It is no longer enough to detect and respond. "Artificial intelligence offers the predictive quality that can give organisations a much-needed edge on their more sophisticated, less burdened and more evasive adversaries," says Cybersecurity Think Tank, the Institute for Critical Infrastructure Technology (ICIT). "In 2016, organisations whose cybersecurity was merely the public display of 'Security Theater' were pummelled directly and indirectly by unknown adversaries. Some organisations discovered the breaches and initiated incident response, while most others remain ignorant of the fact that their networks are actively pulsating with threat actors, who set up beachheads for future attack and who exfiltrate treasure troves of valuable data." With the average breach racking up a cost of $158 per stolen record - while remaining undetected for an average of 229 days - the problem speaks for itself: in that time, cyber threat actors exhaust the network of valuable data, capitalise further by selling network access as a service and further victimising the organisation, and laterally transition onto associated networks. "This 'detect and respond' cycle must end," warns ICIT senior fellow James Scott, author of ICIT's most recent analysis, titled 'Signature Based Malware Detection is Dead'. "Critical infrastructure organisations 14 computing security March/April 2017 @CSMagAndAwards

malware cannot afford to suffer another Anthem or Target style breach... Information technology and information security personnel are inundated by the number of dashboards, products and security suites necessary to minimally protect vital infrastructure. In critical infrastructure sectors especially, layers of incompatible technologies are 'Frankensteined' together in a haphazard attempt at nominally meeting security standards. Any unused technology in every layer exponentially increases cybersecurity noise and could result in exploitable security vulnerabilities. Meanwhile, C-level executives suffer from security solution fatigue as the result of incessant product evaluations, investments, and failures," he points out. So, what is the way forward, in his view? "Critical infrastructure cybersecurity must rely on predictive, preventive and protective solutions that detect and mitigate threats pre-execution. Organisations need machine learning AI endpoint security solutions capable of preempting and mitigating known and unknown malicious files and code based on characteristics, rather than signatures or behaviour, and that are capable of scaling to protect vital systems."* CYBERCRIME GLUT Combatting malware is a challenge all too familiar to the vendor community, who see its effects constantly. As Matt Walker, VP Northern Europe at Ivanti powered by HEAT Software, points out: "With new zero day vulnerabilities being discovered each week, and around 18 million new malware samples being registered in Q3 2016 alone, it's no wonder that last year saw cybercrime levels overtaking traditional crime in the UK. The reality is that individuals and organisations of all sizes must now build their plans around when, not if, they are attacked and, in isolation, preventive strategies such as AV and firewalls simply can't keep up." The most effective defence, he argues, begins with intelligent whitelisting, combined with regular and consistent patch management, as well as application control. "In other words, a layered approach to security is key and can eliminate 99% of the IT security risks that organisations face." PROTECTION RETHINK Customers need a new level of protection, says Edouard Viot, product manager, Stormshield - a level that allows their security systems to analyse in real time what happens in the memory, in order to react to uncommon behaviour. "Instead of looking for a pattern match to a signature of an old virus within a file against that stored in a database, these new security systems evaluate in real-time for unusual behaviour in memory. Most modern malware adopts several methods to bypass intrusion prevention systems and antivirus analysis engines - and the first thing that they do once loaded in memory is to decrypt and reassemble part of the malicious code, in order to infect the machine. The key to tackling this issue is to use software that has been designed to detect the malicious process that an executable file is carrying out in memory, in order to understand that something really malicious is ongoing on the system and can be blocked before it can cause harm. "It should also monitor in real-time the unusual behaviour of memory blocks, stopping infection on the endpoint even if it bypassed another antivirus on the way in," says Viot. The other key is to detect when abnormal activity is highlighted on the network, so as to react as fast as possible and to proactively distribute protection to other hosts once malware has been identified on one. In this case, MLCS [Multi-Layer Collaborative Security] can help. "When malicious activity is detected on the host, the software should be able to set up the proper rules to react at a network level." * For the full report, see: Matt Walker, Ivanti powered by HEAT Software: a layered approach to security is key. Edouard Viot, Stormshield: customers need a new level of protection. @CSMagAndAwards March/April 2017 computing security 15