Attacks/Breaches

5/28/2013
09:31 AM
Mike Rothman
Mike Rothman
Commentary
50%
50%

The Network And The Malware

This is the first installment of a two-part series in which Mike Rothman and Wendy Nather will tackle how to use the network for detection, monitoring, and forensics of advanced malware

Given the IPO talk for high-flying startups providing network-based advanced malware detection gear and the weekly announcements of incumbent network security players announcing competing products, you'd think the industry has come up with a cure for cancer or some way to entice attackers to stop trying to rob you blind. It hasn't. In fact, as my partner Rich Mogull frequently says, you can't change human behavior -- EVER. So the attackers will pretty much always attack.

The question is, what can you do as a defender to make it harder for the attackers to successfully compromise your environment? It's no secret that well-funded and capable adversaries will defeat your defenses, but you want to make them work for it. If the so-called advanced attackers don't have to use advanced attacks (and they won't unless they have to), then you stink at security. On the other hand, if your high-end, high-priced forensicators find all sorts of 0-day malware and other nonstandard attacks, then you should be happy. OK, maybe not happy, but you should have some small sense of satisfaction that you made it hard on the adversary, while you are cleaning out your desk.

Where was I again? Oh, yeah, the network's role in detecting these advanced malware attacks. Basically we know traditional endpoint protection leaves a lot to be desired against advanced malware (yes, that's a politically correct way of saying it doesn't work). We also know that we can't totally lock down all of our devices, not without having your employees burn you in effigy in the parking lot. That explains the interest in these network-based malware detection devices to help get rid of some of the malware crap before gets into your environment.

The story goes that these devices can detect bad stuff on the perimeter. The sales reps will tell you they've figured out how to stop the APT, make your CIO respect you, and allow you to actually spend a holiday like Memorial Day drinking beer, eating BBQ, and remembering the heroes who defend your homeland -- instead of how you usually spend the holiday, which is trying to figure out how your customer database ended up on Pastebin.

To be clear, you aren't going to be able to block 100 percent of the advanced malware targeting your organization on your perimeter. No matter what the vendor sales rep tells you. But if you can block an incremental 50 percent of the malware before your idiotic users even have a chance to click on the link or open the PDF attachment, is that worth it? You bet it is.

So how does it work? These devices are basically sophisticated sandboxes that execute inbound files within an allegedly safe environment either on the box or in a cloud-based sandbox to determine whether the file exhibits bad behavior and therefore would be malware. Of course, it's a little more complicated than that, but that's the general concept. There is a religious battle brewing between those folks who think you should have the sandbox on the device and those who think you need to use a cloud-based environment to test the malware. I think over time the cloud-based approach will prevail, but either way the idea of analyzing files before they end up on your devices is a good thing.

Another value of this network-based approach is these devices also monitor egress traffic to detect communications between a potentially compromised device and a command-and-control network. So in the event the box misses the malware on the way in (and a percentage of the time it will), you get a chance to detect when the malware is connecting to its master.

Yet the malware arms race continues. The attackers are learning how these devices work and will develop evasion techniques to defeat these devices, too. That's the way of the world. That means you need to break out your Security 101 manual and revisit the layered defense doctrine. You'll need to make additional investments on complementary advanced malware technology that runs on your endpoint. You'll need to make sure you don't fall behind on keeping your devices patched and configured correctly.

But also importantly, you'll need to focus on being able to shorten the window between exploit, detection, and remediation. And, yes, the network plays a big role in the "after compromise" aspects of dealing with advanced malware.

In Part 2 of this series, my friend Wendy Nather will delve into how detection turns into network forensics and provide some tips on how you can figure out what just happened to you.

Mike Rothman is President of Securosis and author of The Pragmatic CSO

Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1659
PUBLISHED: 2019-02-21
A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI. The vulnerability is due to...
CVE-2019-8983
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2).
CVE-2019-8984
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2).
CVE-2018-20122
PUBLISHED: 2019-02-21
The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges. No authentication is...
CVE-2018-6687
PUBLISHED: 2019-02-21
Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) 3.0.0.461 and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file . GetSusp is a free standalone McAfee tool that runs on several versions of Microsoft Windows.