How can enterprises defend against digitally signed malware?

Digitally signed malware is increasing, according to a new study from Kaspersky Lab. Are there any ways to detect and/or mitigate the risk of malicious files using legitimate digital certificates?

One of the most important steps of using software signed with digital certificates is checking to see if the signing certificate has been revoked. If any signing certificate -- especially a software signing certificate -- has been compromised, it should be immediately revoked.

It may also be in the software developer's best interest to be transparent; notify customers that the software signing certificate was revoked and explain how security was improved so this won't happen again. Customers that check certificate revocations may notice the certificate is revoked and then ask what happened, so preempting this confusion can demonstrate how committed a software developer is to security.

On the other hand, if the software developer hasn't identified a compromised certificate when notified by a customer, it should investigate immediately and revoke the certificate.

The threat of digitally signed malware is certainly extending to the enterprise. New research from Kaspersky Labs found digitally signed malware is a growing exponentially -- and enterprises had best be prepared for it.

Potentially the most effective step to mitigating the risk of digitally signed malware is to only allow approved executables to run on endpoint systems; this can be accomplished by whitelisting the approved executables. This would require significantly more effort for attackers to successfully compromise endpoints with signed malware.

Other steps enterprises can take include checking if software is signed by a certificate from a well-known and trusted authority, or even signed by an approved certificate authority. Enterprises may also want to inventory all files on a system and check each signed file to see who signed it to ensure it would meet the signing requirements for new files.

At a minimum, enterprises should enable endpoints to check for revocation for signed software.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)