Vulnerabilities / Threats //

Advanced Threats

3/31/2017
12:00 PM
John Moynihan
John Moynihan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Customized Malware: Confronting an Invisible Threat

Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out.

How secure is your network from unauthorized access?

Before you launch into a practiced response regarding your best-in-class firewall and robust antivirus software, you should know that the rapidly evolving malware landscape has rendered these technologies increasingly ineffective. Prolific, adaptable hackers are deploying customized malware to compromise networks throughout the financial services, healthcare, technology, and government sectors. However, it is possible to mitigate the risk.

What Is Customized Malware?    
Customized malware is malicious software that has been modified to evade detection by traditional security technologies. Customized malware comes in many forms, including ransomware. The most common delivery method is through inbound email, by a phishing or spearphishing attack. Because traditional antivirus products provide signature-based detection, only malware variants whose algorithms have already been identified are successfully quarantined. Therefore, the modified variants escape detection at an alarming rate.

Whenever a new malware variant is identified, a "patch" that addresses this specific threat is created, distributed, and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed as soon as possible. Unfortunately, the period that elapses between identification and analysis of a new variant and then the distribution of an update is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although these undetectable threats have existed for several years, the widely publicized attack on Target provided an unprecedented glimpse of how customized malware is used. In that breach, the malware installed within the company's network permitted a group of hackers, based in Eastern Europe, to perform extensive system reconnaissance and, ultimately, steal over 40 million credit and debit card numbers without ever being internally detected.

Shortly after the attack on Target, the United States Secret Service initiated an investigation and engaged iSIGHT Partners to assist in the forensic review. In January 2014, iSIGHT issued a report entitled "KAPTOXA Point of Sale Compromise." The KAPTOXA report revealed that the malware variant used to attack Target had a 0% detection rate. Simply put, the malware was customized to be completely invisible.

Mitigation Approach
The evasive nature of customized malware requires the implementation of a multilayered approach to data protection and network security. Given that antivirus products have become increasingly ineffective in preventing these attacks, enterprises can't rely solely on security technologies. An approach that combines employee education, threat containment, and network monitoring will reduce the risk of a customized malware penetration.

Education: Given that phishing and spearphishing remain the most prevalent delivery methods for initiating a customized malware campaign, it's essential that enterprises provide all users with clear, practical guidance on how to identify and guard against this tactic. Management must recognize that all users, whether employees, contractors, or interns, are conduits for a malware exploit through a continuous barrage of "social engineering" overtures. Therefore, the most proactive method of preventing an attack is through workforce education. The education process begins with the distribution of a clear, current information security policy that provides specific, practical guidance.

The next element of effective cyber education is mandatory employee training. The curriculum must be aligned with the policy and include a discussion of employee responsibility, an explanation of prohibited activities, and a description of the consequences for violators. An ongoing training program is a central element of an organization's cybersecurity program, without which users will engage in arbitrary and irresponsible behavior when using technology resources.

Containment: Although educating users will reduce an organization's risk of being compromised by a customized malware attack, it doesn't eliminate the threat. Through effective network segmentation, intruders may be contained within "segments" that do not house or process confidential information. Network segmentation is the process by which a network is divided into various subnetworks, letting an enterprise restrict segment access to only those with a clear business need. If intruders surreptitiously enter a "flat" network, one that hasn't been properly segmented, they enjoy lateral movement and may gain access to payment applications, databases storing personal information, or intellectual property. In a properly segmented network, all critical technologies are isolated and the confidential data residing there is protected.

Think of your local bank. When you walk in, your access is restricted to the teller window and perhaps the branch manager's office. The bank doesn't permit customers unrestricted access from the lobby to the vault or safe deposit boxes. This is an example of a segmented physical environment but is analogous to network segmentation.

Monitoring: If implementing an employee awareness program and network segmentation fails to prevent an intrusion, system monitoring allows entities to identify and disrupt malicious activity. Although customized malware is undetectable by conventional firewall and antivirus technologies, the activities initiated by this harmful software are identifiable through network monitoring. For instance, although data-scraping malware may penetrate a retailer's point-of-sale environment without detection, network monitoring would detect credit card data being exported from the infected terminals to suspicious, external locations.

Network monitoring is the process by which select components, such as customer databases, are continuously analyzed to detect unauthorized access. A variety of automated monitoring solutions provide the capability of generating real-time alerts of potential network threats. Network monitoring administered by properly trained staff gives an enterprise a final layer of protection against unauthorized access.

Customized malware poses an unprecedented risk to virtually all organizations. Organizations that fail to understand the dynamic nature of this situation and adjust their approach accordingly are at imminent risk of a cyberattack and the consequences that accompany these incidents.  

Related Content:

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.