apops - Fotolia
Is there any way to tell the difference between insider versus non-insider malware? Are there software products that can detect malware written by someone inside my organization?
One of the most common and oldest threats is an attack by a trusted insider. These individuals might already have the access needed to be malicious, or, alternately, a local privilege escalation attack could give them easy access to sensitive data.
While distinguishing between insider and non-insider attacks is difficult, it could be even more difficult to detect malware written by someone inside an enterprise. Targeted attacks written by an external malware coder could disguise themselves as insider attacks since an internal account could be used as part of the compromise.
Alternately, a leak of data could also be an insider attack.
Non-insider and non-customized malware could be easiest to detect versus insider malware because other systems from other networks might submit the same suspicious files to antimalware vendors; the security intelligence from vendors would improve this detection.
Unfortunately, there are no software products that would specifically spot malware written by someone within an organization. You could identify if an internal command and control system is used with the malware or where a file might have been downloaded from a legitimate system. Once a malicious file is identified, it should be checked for shared libraries or coding style that might be common in the enterprise to see if there are any commonalities.
Detecting an insider attack -- whether it is using custom developed malware or not -- can be done by monitoring suspicious activities on systems and reviewing logs. Check logs for both where and when authentication occurred, and for what files were accessed on those systems.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading