Whether the goal of a malware attack is ad-clicks, creating a botnet, or doing something more damaging, no one can dispute that preventing and combating these infestations are an important focus for security groups. But too often, this battle can overshadow an even bigger threat to an organization: a targeted data breach, which takes a very different orientation and set of tools.
For the most part, in the context of a targeted attack, malware is optional, and if used, it is just a side tool rather than the main component. Attackers will engineer their way inside a network with or without malware, and once inside they are more apt to use utilities, a command line interface, and other administrative functions to progress the data breach. This process is rarely automated and certainly not autonomous, which leads to:
Mistake #1: Focusing breach detection on malware detection
Because a successful targeted data breach is an iterative process in which the attacker bypasses prevention technologies, he will, by definition, bypass the security tools that deal with malware, even if he uses malware. Most of the activity will involve reconnaissance to understand the network and lateral movement to get closer to important assets.
More challenging is whether, if you detect malware, how do you know that you uncovered a targeted attack? By just looking at malware, it is difficult to see if it might be connected to some larger attack. Also, in some cases, identifying and removing malware gives a security team a false sense of security; it keeps them busy and productive while making them think they are doing all they can to detect an active breach.
How to avoid Mistake #1
- Focus on breach detection activities that indicate the necessary behaviors of the attacker, not technical artifacts, like malware. In order to detect active breaches, conduct ongoing behavioral analysis of computers and users rather than sandboxing and IOC (indicators of compromise) detection. Sandboxing is simply malware detection, and IOCs are simply signatures of known malware.
- If malware or a malicious tool is indeed detected, don’t end the investigation there. Many targeted attacks will use relatively simple Remote Access Tools (RATs) and malware variants such as Zeus. Ask the right questions of what is special about the computer or its owner. Where else is this malware, tool, or utility used? What information or resources are accessible from this asset? The key to differentiating between mass malware and more targeted attacks is asking the right questions. On one hand you don’t want to waste precious resources on investigating simple malware, and on the other hand, if you suspect that it is targeted, you should try to understand it early in the process to enable further investigation.
Mistake #2: Focusing the remediation process on malware removal
If a security professional actually discovers suspicious behavior, simply removing malware or re-imaging a machine won’t achieve a lot. In many cases when a breach is discovered, it’s difficult to understand the full extent of it. Generally, security organizations rush to reimage the computer or remove the malware as quickly as possible. Some even measure the time it takes and try to optimize it. If indeed you are facing a targeted attack, then this practice doesn’t change the fact that the attacker controls your network. An attacker inside the network would usually have multiple footholds. Removing one will inform the attacker, as a side effect, that you are aware of him and destroy any evidence that you have.
How to avoid Mistake #2
- Instead of focusing on removing the malware and re-imaging the machine, focus on the significance of the endpoint, its owner, and the detected behavior. Record the machine’s purpose, its owner, the relevant malware or program that was part of the behavior, and take a snapshot of the machine before removing the malware or re-imaging it. After the remediation is completed, keep tracking the case (user/machine/related assets).
- Remediation should start with triage and investigation of the suspicious behavior. It needs to be based on both network context, which gives breadth and complete visibility, and also on the endpoint context, which provides the depth and root cause analysis. Most breach detection programs implemented in organizations today will find suspicious network activity but won’t have any endpoint context, which leads to blind decisions of reimaging the machine.
It’s time to start responding to data breaches with new tools and new thinking. Don’t let malware prevention tactics become the basis of post-intrusion detection.