Not long ago, an IT security analyst at a major southeast U.S.-based distributor of electronic components spotted some peculiar network activity. The analyst had been evaluating Netflow network traffic data and identified that someone, or something, was conducting periodic scans of large blocks of IP addresses.
To defend against targeted attacks, organizations need to be prudent without being scared.
research director, Spire Security
"We were breached," said the analyst, whose spoke to SearchSecurity.com under the condition of anonymity. "We found numerous systems infected in one of our warehouses," he added, "as well as our administrative network."
An attacker had been on the company's network for at least six weeks; numerous endpoints and a number of servers had been compromised. While the analyst said he is confident that the malware has been cleansed from the network and that the attackers have been shut out (for now), he's not sure how the breach occurred.
"Not knowing the initial vector of infection is concerning," he said. "It's always possible that they're still on our network, somewhere."
There are characteristics of this breach that are both common and uncommon. It's common that a breach would go undetected for so long. What's uncommon is that the security team managed to find the breach on its own. According to the 2012 Verizon Data Breach Investigations Report, or DBIR, many breaches go unnoticed for long periods and 92% of breached organizations learn of the incident, not internally but from a third party.
Welcome to the world of customized malware attacks, where attackers are, when necessary, using generic, broadly accessible attack code merely as a starting point to craft custom attacks that slither right under an organization's radar.
"It's tough to quantify," said David Shackleford, senior vice president of research and chief technology officer at Boston-based IANS, "but there is definitely more customized malware seen in attacks today."
There is plenty of anecdotal evidence, as word breaks of a new targeted zero-day attack on a near-daily basis. Additionally, an August survey on targeted attacks by Waltham, Mass.-based vendor CounterTack Inc. revealed that more than half of the 100 infosec executives surveyed said their organizations had targeted in the past 12 months.
Perhaps one of the reasons customized malware attacks -- or attacks in general -- are so successful is that there is too great a focus on malware, argued Lenny Zeltser, a senior faculty member at the SANS Institute.
"We often become fixated on the malware component of the attack, perhaps because it is a tangible artifact we can see and analyze once it has been discovered," Zeltser said. "It might be more useful to consider the incident in a larger context: Custom malware is usually used as part of a targeted attack where a motivated adversary strives to achieve an objective."
Zeltser said that for optimal defense, organizations should examine all aspects of the attack lifecycle and avoid fixating on the malware. That refocusing includes an emphasis on the ability to detect and respond to incidents as they occur. That approach sounds straightforward, but that doesn't mean it's easy to execute. To combat custom malware, organizations need to rethink not only the technologies they use to defend their systems, but also the processes they have in place.
In an interview with SearchSecurity.com, Eugene Kaspersky, CEO and co-founder of antimalware vendor Kaspersky Lab, said organizations need to make it much more difficult and expensive for attackers to circumvent defenses. He cited the famous Stuxnet Trojan attack, which reportedly found its way onto a fully disconnected network at Iran's Natanz refining facility, as an example of how difficult it is to protect even fully air-gapped networks.
To defend against targeted malware attacks, Kaspersky also cited application whitelisting as a viable countermeasure. "If an application does something it's not supposed to do, it is immediately blocked through a default deny," he said. "If you create a default environment where only whitelisted applications are allowed to run, it's probably the best chance to stop any sophisticated malicious applications from running."
From the editor: More on targeted malware
Forrester's Chenxi Wang discusses proactive security measures to prevent malware attacks
Pete Lindstrom, research director at Spire Security, also cited whitelisting, or application control, as important defenses, but noted that they aren't perfect solutions. "That's not easy all of the time, as environments change and some environments change quite often," he said. "But to defend against targeted attacks, organizations need to be prudent without being scared."
Part of that prudence is having an incident response team, and effective forensic investigative capabilities. And, according to Zeltser, once custom malware is identified, it's important to examine both the malware and the environment in which it was found to gain an understanding of the magnitude of the incident. He also said that an organization needs to be able to identify the attackers' likely objectives by understanding the nature of the systems breached and the data they possess, the capabilities of the malware, and how the malware was used.
"Forensic analysis helps the enterprise determine how to proceed to contain the adversary's scope of influence within the organization, remove malicious artifacts, and ultimately recover," Zeltser said.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.