Incident Response, Malware, TDR

Next-generation malware: Think like the enemy and avoid the car alarm problem

When it comes to enterprise security, one rule remains constant – attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses. Next-generation malware attacks are VM evasive, can come via social engineering or physical delivery (a USB drive), and be targeted to a specific folder, or application, that a business is known to use regularly. Some attacks have the ability to hide in plain sight, lulling sandboxing technologies into thinking that they are benign until a pre-programmed date. Multi-state and multi-vector attacks, coming from different places, are an increasingly common tactic of next-gen malware.

Attackers have even started to use encrypted SSL to proliferate attacks, effectively hiding the attack from traditional malware analysis. These attacks are difficult to uncover as the existence of the SSL tunnel can be undetectable in a phone's browser or mobile apps.

Unfortunately, most businesses have invested in technology that is now an inadequate, or incomplete at best, defense. To combat the next generation of malware, businesses will require the next generation of malware analysis. Have you heard the phrase “think like the enemy”?

When considering the next step in constructing an advanced persistent threat (APT) defense, know that the bad guys expect you to have a sandbox, and will most likely send one or more forms of malware into the environment at the same time to see what can get through. Specifically, they expect to encounter a VM environment and develop their attacks accordingly.

IT administrators can employ ghost-users to throw off the malware by mimicking mouse movements and responding to dialog windows. This tricks the malware into thinking it is interacting with a human and thus exposing itself. Next-generation malware will also look for tell-tale signs of a VM environment and, if it detects a VM environment, will hide and not perform malicious behavior.

Most modern APT defenses are able to detect the majority of dangerous intrusions. The problem is, they rank dangerous threats as the same as minor threats, flooding networks security centers with hundreds, even thousands of alerts per day. We call this the “car alarm” problem.

We hear car alarms all the time, so much so that we've learned to ignore them. Network security administrators, and even IT executives, receive so many false positive reports every day that when a real threat is flagged, its urgency is diluted among a multitude of other “threats” and ignored. The “car alarm” phenomenon has been the cause of almost every major data breach in recent years – and it's not going away.

In a modern approach to malware defense, aim to reduce the number of threats that get analyzed through pre-filtering, and only analyze the ones that pertain to your business. By reducing the number of analyzed threats through threat scoring, IT teams are presented with a much more reasonable amount to vet. For example, if your business is a law firm and a piece of malware that can infect point-of-sale (POS) machines is flagged, it should be categorized as a “low threat.” The same piece of malware should be categorized as a “high threat,” however, if your business is a retail store.

Another must: customize the sandbox to the exact environment. In an attack, the malware creator might already know that the targeted business uses a specific customized application. Malware has to be specific to the environment. If the sandbox is not customized to the exact environment, the malware can get by and attack that one application. If the sandbox is only mimicking a generic Windows environment, it won't detect attacks targeting the custom applications or folders. Look for a sandbox into which “Gold” images can be deployed.

Next-generation malware is quickly becoming the go-to form of malware attacks today. Defending against these attacks will become more difficult over time – the wrong approach will disintegrate quickly, leaving your business vulnerable. Consider modernizing your malware defense approach with these easy tips to better protect against next-generation malware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.