lolloj - Fotolia
Blended threats and improvements to man-in-the-middle exploit kits have made malware more available to a wider audience of less-skilled cybercriminals. These bad actors can now launch drive-by attacks with just a few mouse clicks. At the same time, increases in state-sponsored hacking and the growing complexity of keeping modern browser plug-ins up to date have made the number of threats facing the enterprise network more numerous, sophisticated and pernicious. And even that old chestnut of social engineering has been made easier, thanks to the popularity of social networks that enable criminals to pose as co-workers or friends, mistakenly build trust and use that trust to steal credentials and assets from the unwitting.
Malware's new sophistication
Troubling examples abound. First, consider how "hacking as a service" has brought down the cost for launching zero-day attacks on a wider collection of targets, as Emilio Iasiello writes on the Norse blog. These services are not only cheaper but have now upped their game and become more professional, accessible and dangerously effective. These services are responsible for botnet attacks such as Gameover Zeus and AlienSpy, remote-access Trojan attacks that have caused millions of dollars in damages.
Second is the increasing effectiveness of drive-by browser attacks, which prey on the complexity of the modern browser and their lack of current updates to various plug-ins, helper objects, extensions and other associated pieces of software. Witness the success of the Angler exploit, which searches diligently for a way into a target PC. Sophos describes how these attacks can find their way into their targets in an analysis here. Thus it isn't surprising how effective Angler has been: Cisco reports that, on average, 40% of users who encounter an Angler exploit-based Web landing page have been compromised.
Finally there is Hammertoss malware, discovered earlier this year. It retrieves its command and control information via Twitter and Github accounts. It has built-in delays and timing commands to make its network traffic pattern look like ordinary end-user queries of these services. FireEye in a recent report suspects that it is the work of a Russian state-sponsored hacking group. Yet the Tweets contain directions for the malware to first download an image from Github and then extract encrypted instructions, and then finally upload a victimized PC's data to its servers. FireEye states that the malware "undermines network defenders' ability to identify [the exploit]. While each technique is not new, when combined they make it particular hard to spot malicious network traffic and a powerful backdoor."
These three threats are just a few of the many that security professionals commonly see. Cisco's mid-2015 security report lists several other factors that have contributed to the rise in malware sophistication, including more professional development teams creating new ransomware, a growing use of Tor and other tools to hide malware transport and a return to using Microsoft Office macros as a malware delivery vehicle. The Cisco report concludes that there needs to be a "movement toward an integrated threat defense architecture that provides visibility, control, intelligence and context across many solutions."
What can be done?
Certainly, enterprises have always needed to employ a variety of countermeasures to protect their endpoints and networks. But now, as these threats get more numerous and potent, they have to ensure that they stay on top of these and other developments. This means "most traditional antivirus products don't cut it anymore," says David Wren, the founder of Network Technology Partners, a security value-added reseller in Ellisville, Mo.
"The average AV product has about a 40% efficacy rate these days, and needs to be supplemented with a series of other security products." These include tools that protect against network-based threats -- ones that track malware behavior across multiple infection paths -- and tools that monitor file integrity and watch for user privilege escalation. "There is still room for a layered approach," he says. "You have to use a collection of tools if you want to truly be protected."
Joe Willmann is the IT Director at a Lafayette, Ind., Catholic school system with four schools and 1,000 students. Over the past several years they replaced their aging Windows XP machines with school-supplied Macbook Air laptops. One of the reasons for switching platforms was that Macs are the target of fewer malicious attacks than Windows PCs, but the switch is also being made because Microsoft is retiring XP. The school network sees daily attempted malware exploits and has deployed a number of security strategies.
First, the Lafayette school students receive training about basic security practices, including password security. Second, the school system upgraded their perimeter security to dual Sophos UTMs that work with a cloud-based content filter. This prevents social network usage during the school day but allows access once the students return home. "It is pretty important that our data stays secure, especially given that all our students have devices now," Willmann says. "This way, the content filter can go home with their laptops, so our students don't have to tunnel back to our UTM box. This means we get alerts when something malicious is installed on their computer." The UTM boxes were also part of an overall network upgrade that unified all the schools into one infrastructure and simplified their security.
Finally, Willmann established a coding club in the upper schools that "tries to get students to learn how to do hacking for good. They test our network as part of their duties and have found several vulnerabilities, such as open network ports, that we missed."
Still, vigilance is difficult. "We have never found a completely clean customer when we first go into a new enterprise," says Wren, of Network Technology Partners. "One time, we found a server that was part of a botnet collecting money for a criminal's PayPal account, and it probably had been operating for more than 18 months."