Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

3/31/2017
12:00 PM
John Moynihan
John Moynihan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Customized Malware: Confronting an Invisible Threat

Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out.

How secure is your network from unauthorized access?

Before you launch into a practiced response regarding your best-in-class firewall and robust antivirus software, you should know that the rapidly evolving malware landscape has rendered these technologies increasingly ineffective. Prolific, adaptable hackers are deploying customized malware to compromise networks throughout the financial services, healthcare, technology, and government sectors. However, it is possible to mitigate the risk.

What Is Customized Malware?    
Customized malware is malicious software that has been modified to evade detection by traditional security technologies. Customized malware comes in many forms, including ransomware. The most common delivery method is through inbound email, by a phishing or spearphishing attack. Because traditional antivirus products provide signature-based detection, only malware variants whose algorithms have already been identified are successfully quarantined. Therefore, the modified variants escape detection at an alarming rate.

Whenever a new malware variant is identified, a "patch" that addresses this specific threat is created, distributed, and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed as soon as possible. Unfortunately, the period that elapses between identification and analysis of a new variant and then the distribution of an update is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although these undetectable threats have existed for several years, the widely publicized attack on Target provided an unprecedented glimpse of how customized malware is used. In that breach, the malware installed within the company's network permitted a group of hackers, based in Eastern Europe, to perform extensive system reconnaissance and, ultimately, steal over 40 million credit and debit card numbers without ever being internally detected.

Shortly after the attack on Target, the United States Secret Service initiated an investigation and engaged iSIGHT Partners to assist in the forensic review. In January 2014, iSIGHT issued a report entitled "KAPTOXA Point of Sale Compromise." The KAPTOXA report revealed that the malware variant used to attack Target had a 0% detection rate. Simply put, the malware was customized to be completely invisible.

Mitigation Approach
The evasive nature of customized malware requires the implementation of a multilayered approach to data protection and network security. Given that antivirus products have become increasingly ineffective in preventing these attacks, enterprises can't rely solely on security technologies. An approach that combines employee education, threat containment, and network monitoring will reduce the risk of a customized malware penetration.

Education: Given that phishing and spearphishing remain the most prevalent delivery methods for initiating a customized malware campaign, it's essential that enterprises provide all users with clear, practical guidance on how to identify and guard against this tactic. Management must recognize that all users, whether employees, contractors, or interns, are conduits for a malware exploit through a continuous barrage of "social engineering" overtures. Therefore, the most proactive method of preventing an attack is through workforce education. The education process begins with the distribution of a clear, current information security policy that provides specific, practical guidance.

The next element of effective cyber education is mandatory employee training. The curriculum must be aligned with the policy and include a discussion of employee responsibility, an explanation of prohibited activities, and a description of the consequences for violators. An ongoing training program is a central element of an organization's cybersecurity program, without which users will engage in arbitrary and irresponsible behavior when using technology resources.

Containment: Although educating users will reduce an organization's risk of being compromised by a customized malware attack, it doesn't eliminate the threat. Through effective network segmentation, intruders may be contained within "segments" that do not house or process confidential information. Network segmentation is the process by which a network is divided into various subnetworks, letting an enterprise restrict segment access to only those with a clear business need. If intruders surreptitiously enter a "flat" network, one that hasn't been properly segmented, they enjoy lateral movement and may gain access to payment applications, databases storing personal information, or intellectual property. In a properly segmented network, all critical technologies are isolated and the confidential data residing there is protected.

Think of your local bank. When you walk in, your access is restricted to the teller window and perhaps the branch manager's office. The bank doesn't permit customers unrestricted access from the lobby to the vault or safe deposit boxes. This is an example of a segmented physical environment but is analogous to network segmentation.

Monitoring: If implementing an employee awareness program and network segmentation fails to prevent an intrusion, system monitoring allows entities to identify and disrupt malicious activity. Although customized malware is undetectable by conventional firewall and antivirus technologies, the activities initiated by this harmful software are identifiable through network monitoring. For instance, although data-scraping malware may penetrate a retailer's point-of-sale environment without detection, network monitoring would detect credit card data being exported from the infected terminals to suspicious, external locations.

Network monitoring is the process by which select components, such as customer databases, are continuously analyzed to detect unauthorized access. A variety of automated monitoring solutions provide the capability of generating real-time alerts of potential network threats. Network monitoring administered by properly trained staff gives an enterprise a final layer of protection against unauthorized access.

Customized malware poses an unprecedented risk to virtually all organizations. Organizations that fail to understand the dynamic nature of this situation and adjust their approach accordingly are at imminent risk of a cyberattack and the consequences that accompany these incidents.  

Related Content:

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.