How can organisations protect against targeted malware?

Cybercriminals are employing new, sophisticated and highly targeted methodologies that are completely circumventing traditional security. In this article, Bradley Anstis takes a look at traditional network security solutions and explains how businesses can shore up their defences in the face of targeted attacks.

In recent years, cybercriminals have shifted the way they operate by abandoning large-scale, gen¬eralised scams, such as malicious spam, in favour of more targeted and customised techniques, such as spear-phishing targeted senior executives in the hope of stealing passwords, customer details, critical company information and intellectual property (IP).

What is at stake is everything from military secrets to the operation of critical infrastructure like power and water utilities – no organisation or sector is immune.

What are targeted attacks and how have they evolved?

Today the perpetrators prefer to aim their attacks through well-crafted malware campaigns aimed at specific personnel and government agencies. These types of attacks are successful because they are stealthy, unique and personalised.

Cybercriminals research their victims and design authentic-looking Web and email communications that trick users into clicking an infected link or opening a document with embedded malware, while remaining none the wiser. The goal is to quietly infiltrate a system or network, remain there undetected for a long time, and steal information or monitor user activities.

The targeted attack on RSA’s two factor authentication IP was undertaken by convincing a small number of carefully selected employees to open an attachment within an email that was disguised as a message about the 2011 recruitment plans.

This exploited a zero day vulnerability allowing the hackers to install a remote administration tool (RAT) on the employees’ computers, that then allowed the hackers to access other parts of the network and quietly siphon off information over an extended period.

This example also shows that, in spite of all the security technology employed by the largest enterprises, user education still has a huge role to play in thwarting cybercriminals.

RSA is not alone. Recent research into the use of specialist malware found that 72 organisations had been targeted over a period of five years. Two of the targeted companies were UK organisations: one a computer security company and the other a defence contractor.

So if all of these organisations have invested in strong security solutions, why are targeted attacks succeeding?

Pros and Cons of popular solutions

The majority of malware infections occur via the Web and email, with 92% of attacks against organizations coming from the Web. While many organisations believe they are fully covered by popular security solutions such as anti-virus, URL filtering and firewalls, these technologies often fail to detect new and targeted attacks that have not been previously detected and categorized as being malicious.

The new targeted attacks are dynamic and use different code each time to circumvent traditional security that relies on matching up malware with known signatures. Here’s a closer look at these technologies and why they are not designed to thwart today’s targeted, dynamic attacks.

URL filtering

URL filtering solutions were designed to address productivity, not security. By controlling which websites users could access and when, organisations could ensure workers stayed on task. URL filtering lists work by referring to a database that lists different websites by category, such as social media, banking, retail and gambling.

The categories are used to determine which websites users are allowed to access, and as a productivity tool, this works well. However, more than 84% of all websites serving up malware and targeted attacks today are legitimate websites listed within accessible categories. This renders URL filtering much less effective as a security tool.

IP reputation

Every website has its own IP address, like a phone number that helps your browser find the site you want. An IP reputation list indicates the malicious nature of a website by looking at how old the site is, who it was registered by, whether it has ever been seen in spam attacks and hundreds of other attributes. In this way, IP reputation was effective at detecting malicious websites.

To combat the effectiveness of this tool, cybercriminals changed their tactics; instead of creating their own websites, they began to infect legitimate websites, which by virtue of their prior histories, had good reputations. For example, even BBC Websites have been used by cybercriminals to host malware.

This enables cybercriminals to effectively bypass URL filtering and IP reputation solutions. In testing, IP reputation now catches less than 15% of infected websites.

Anti-virus scanners

Anti-virus scanners are a key part of a secure Web gateway, designed to protect users when they access the Internet. Initially, when anti-virus scanners were deployed at the gateway level, they were fairly successful; however, attackers refined their methods to escape detection through the use of dynamic malware and targeted attacks.

Anti-virus scanners are able to detect families and/or attributes of known malware variants. This means the anti-virus vendor would have to have detected and analyzed the malware before users were exposed to it in the wild. With the dynamic nature of the code, there is no way all the malicious code could be categorized prior to a user becoming infected. However, anti-virus is well-used in a layered approach to security when integrated into a secure Web gateway.

IPS/IDS solutions

Intrusion detection solutions (IDS) and intrusion prevention solutions (IPS) provide another layer in security architectures. Deployed on the network, they scan traffic looking for signs of suspicious behaviour. An IDS will detect suspicious activity on the network but not stop it, while an IPS solution, deployed inline to the network, will stop this activity.

These solutions still rely on a database of signatures and are thus vulnerable to new and zero day malware attacks in the same way as anti-virus scanners are. As a security tool, IPS/IDS solutions are a better option for use as an additional layer, and a more successful solution than layering multiple anti-virus scanners together.

Application firewalls

Application firewalls are described as “next generation firewalls,” because they recognise applications regardless of port, protocol or other evasive techniques. Because they are able to recognise the applications traversing the firewall, next generation firewalls are able to scan the actual data stream for viruses and spyware.

Regardless, they still rely on anti-virus signatures or IPS signatures to recognize malicious traffic and are therefore susceptible to targeted and zero day attacks just like other security methods previously discussed.

Protecting against new and targeted malware

Because cybercriminals are constantly evolving their tactics, it is critically important to consider bolstering the older reactive technologies outlined above with newer, proactive technologies across both Email and Web gateways.

Instead of relying solely on whether a website is “good” or “bad,” based on reputation or a list of signatures, a proactive way to protect against new malware is to determine the actual intent of the code hidden within Web and email content before it is able to execute.

What is it trying to do on the potential victim’s computer? Are these the actions of legitimate software, or is the code trying to perform a suspicious action, such as copying files, opening settings or trying to exploit a known vulnerability?

By analysing Web content as it is being downloaded and looking for known or new viruses, attempted uses of known vulnerabilities and the apparent intent of any code, a secure Web gateway solution, using a mix of reactive and proactive controls, can accurately detect and protect against new and targeted malware that might be missed by traditional security solutions.

These real-time code analysis technologies are now being recognised as the most effective way to proactively prevent damaging targeted attacks.

A look ahead

Nowadays, any private or public sector organisation that uses Web and email communications and stores valuable data electronically must assume that their networks will be targeted by cyber criminals and hacktivists. By adding additional layers of proactive security technologies, along with educating users and employing sound security policies, organisations can move with the times and make their networks and data much more difficult to crack.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Bradley Anstis is Director of Technology Strategy at M86 Security. Bradley has been with M86 Security (formerly Marshal) since early 2004. He re-established Marshal's R&D centre following the management buy-out from NetIQ. As VP of Technology Strategy he is responsible for the development and improvement of M86 Security solutions, ensuring that M86 Security keeps ahead of emerging security trends and market requirements. Bradley is a 20-year veteran of the IT industry and previously held technical management positions with Protocom Development Systems and Citrix.