In the escalating arms race against advanced malware, many organizations require defenses to protect enterprise networks in real time that go beyond desktop endpoint virus scanners and network-based intrusion prevention products.
Unfortunately for security organizations, advanced malware is getting harder to detect, thanks to the proliferation (more than 100) of automated online tools called "crypters" and "packers." Add to these exploits a range of new techniques that use social networks to establish trust, more use of in-memory attacks and ransomware. All of this means it is an increasingly nasty online world.
Crypters and packers make it easier for criminals to create (within seconds) custom code destined for a particular desktop. The effect of this "individualized" approach is that signature scanners are ineffective, making zero-day attacks, such as the November Windows XP privilege escalation attack, increasingly difficult to stop.
Tim Crawfordstrategic advisor, AVOA
Ransomware is also becoming more popular, according to IT security firm Sophos. Note the latest attack targeting SAP installations in November and a variation called CryptoLocker that is plaguing networks. In these types of attacks, infected code is inadvertently downloaded through phishing in the guise of protective software, such as a fake antivirus or antimalware program. But rather than protecting you, this code ends up demanding payment (sometimes in Bitcoins) before it will release your data.
Improving the odds
Advanced malware: Five prevention tactics from the trenches
So what are some strategies that IT managers have used to stem the advanced malware tide? First is a combined approach of network and desktop protection. Susan May is a technical support specialist in the IT department at Amherst College. The campus uses a combination of ESET's antimalware scanner and Palo Alto Networks' WildFire sandboxing analysis service to protect its network. "We have seen a lot of spear phishing and fraudulent email messages that use Amherst subjects in them," says May."The threat detection console feature of ESET is very helpful as it notifies [us] about infections and lets us track ones that are symptomless. This way we don't have to rely on users reporting alerts they received from ESET."
Some traditional endpoint products have already included this integration, such as Symantec's Endpoint Protection. "I know of a single government employee managing 40,000 endpoints from one central console. That is impressive," says Tony Stirk, president of Iron Horse, a Virginia security reseller and consultant.
Second, extreme measures such as eliminating or restricting USB ports or introducing air gaps might be necessary for creating the most secure networks. The gaps refer to networks that don't have any live Internet connections. Stirk works with a variety of government clients that employ these measures. While "these networks can be infected by some pretty heavy-duty malware, this malware can't ‘phone home' because of the air gap," says Stirk. "And this also means that cloud-based software delivery and online security updates don't work either."
Third is a focus on social networks and social engineering techniques. While not new, in the age of ‘everyone is connected to everyone else,' advanced malware can gain entry through false trusted relationships. "Social engineering training and assessments should be added to most organization's security awareness training initiatives," says Andy Hubbard, senior security consultant at Neohapsis. "This is especially important for executives." He also recommends keeping a cool head after you get infected: "Post-infection, it is important to not just blindly rebuild an infected machine but understand that the user data may still have an active infection."
Fourth, keep track of advanced malware by monitoring your outbound traffic. "We can detect problem machines by the traffic they attempt to send out to the Internet," says Dougan McMurray, IT manager for Brennan IT, an Australian reseller. "This traffic is then blocked, and we track down the machine by IP address and remediate as needed."
Finally, don't depend on tiger teams to fix things post-breach. "Incident response teams are similar to homeowners trying to put out the fire themselves before calling the fire department," says Stirk. "It isn't always successful. Instead, IT people should be planning for various levels of degradation that could happen for all kinds of reasons—from lost passwords, to death or incapacity of an employee, to a lost communication link," he says. One example of this lack of planning is the many IT departments that are without formal response plans for distributed denial-of-service attacks.
It doesn't take much for bad events to slip through your defenses. "An organization of between 9,000 and 12,000 users can expect to have an average of 1,000 to 1,200 virus events per month, and while traditional antivirus products catch many of these [events], these desktops still need to be properly maintained," says Andy Hubbard, a senior security consultant for Neohapsis and former IT manager for a California hospital chain.
According to Hubbard, "Various versions of FakeAV programs are still really common. This means that even a small percentage of malicious email traffic getting past spam filters can be significant." Gulp.
Having those sorts of odds means managing updates becomes critical. Dougan McMurray, IT manager at Australia-based Brennan IT, advises: "While spam and Web content filters and network threat protection appliances may not be new, having them 100% up to date is mandatory."
Sometimes, it is a knowledge gap that lets the bad stuff in. Tim Crawford, a former CIO and now a strategic advisor at AVOA, says, "Companies can't always justify the expense of the additional protective features beyond those of a traditional firewall. As the threat vectors increasingly change from relatively simplistic signature-based [threats] to more complex behavior-based [threats], the awareness of many IT managers has not evolved as quickly."
More ways to fight back
But the good guys are fighting back, using two general technologies. First, many organizations are improving their real-time global scanning efforts. (The National Security Agency isn't the only entity watching Internet traffic.) These systems include products and services from McAfee Inc., Norse Corp., FireEye Inc., Palo Alto Networks Inc. and Network Box Corp. Security vendors have placed sensors around the world at key customer or Internet connection points to detect zero-day exploits in near real time.
Palo Alto Networks uses its WildFire service to trap and investigate threats and communicate this information to its customers. (See sidebar, "Advanced Malware: Five Prevention Tactics from the Trenches.") McAfee has paired its Advanced Threat Defense appliance with its Real Time software for endpoints and servers to try to do a better job of catching zero-day attacks. Norse Corp. has software that credit card companies can use during the few seconds that a card reader is checking to see if a card has been compromised. Network Box's Z-Scan Anti-Malware service also uses hundreds of thousands of probes spread around the world on key network segments to detect advanced malware and other anomalies. The company also added more than a dozen antimalware scanners and three IPS engines to examine packets.
Other companies, such as Verdasys and FireEye, are combining forces and announcing integrated security systems. Introduced in September, the Verdasys Digital Guardian Connector for FireEye combines FireEye's detection network with Verdasys' endpoint protection. Expect more of these partnerships in the future.
Early warning systems
More sophisticated and integrated reputation management techniques are also becoming available from companies such as Cisco Systems Inc., Blue Coat Systems Inc., Bit9 and Symantec Corp. Again, these systems place sensors around the world, but they are looking for particular network domains that are broadcasting malware. While reputation services have been around for several years, the difference is now these services are being integrated into the ordinary network firewall and IPS devices so they can do a better job of targeting malicious software and anomalous network events. Because these systems are collecting data from actual Internet traffic, they can serve as better early warning systems when new infections start moving across the globe.
Cisco's Security Intelligence Operations, which had its origins in the SenderBase product line, can be used in a wide variety of Cisco gear, including its IPS, Web Security Appliance and ASA CX firewall line. Because of Cisco's reach and market share, this can be a great first line of defense and identify a lot of potential exploits.
Some of the firewall vendors have taken things a step further. These companies have integrated geofencing with their own proprietary reputation management systems, so they can tie in their protection and identify particular domains that are known to send advanced malware as well as locate where lots of exploits originate. This means you can deny or allow traffic from particular countries using a simple series of menus.
But with all this technological firepower, it still isn't a fair fight. Tony Stirk is the president of Iron Horse, a consultancy in Springfield, Virginia. He cautions, "Nothing is perfect. Bad people want to hurt you. You will make mistakes. Stuff breaks. Incidents are inevitable. With that in mind, and imagining how things might go wrong, you can start designing in safety procedures that will make things more resilient, and response procedures in case something goes wrong. If you assume that you will eventually get an infection, the only real defense is to have reliable backups and good restore procedures."
About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor-in-chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.