Combating the Evolving Malware Threat

John Moynihan


October 1, 2014

rm10.14_malware_skullHow secure is our network from unauthorized access?

Any information security or risk management professional has undoubtedly heard this question many times, likely with increased frequency. Whether it is a senior manager or a member of the board of directors, those posing it are acutely aware of the dramatic increase in cyberattacks and the consequences associated with the unauthorized access of customer information, proprietary corporate data or intellectual property. These individuals are looking for reassurance that the organization's confidential information is adequately protected from the rapidly evolving array of external threats.

But before you launch into a practiced response describing the myriad technical controls that have been deployed to secure the network perimeter-including a best-in-class firewall, robust antivirus software and a data loss prevention solution-it is important to remember one indisputable fact: today's malware is increasingly rendering these technologies ineffective. A new generation of prolific hackers are routinely deploying customized malware to successfully penetrate the networks of sophisticated, multinational corporations. As a result, the traditional approach of combating this threat with a technology-centric strategy is obsolete. Organizations that fail to acknowledge this dynamic-and adjust their approach accordingly-will remain exposed to the imminent risk of a data breach, and its potentially devastating consequences.

What Is Customized Malware?
Customized malware is malicious software that has been modified, reengineered or otherwise altered to evade the detection capabilities of traditional security technologies. Customized malware can take the form of any of the commonly known types of malicious software, including viruses, worms, trojan horses, rootkits and ransomware. The most common customized malware delivery method is inbound email, normally through a phishing or spear-phishing attack.

Antivirus products are largely ineffective at stopping the threat since they only provide "signature-based detection," which means that only malware variants whose algorithms have been previously identified are prevented from compromising the intended victim. Whenever a new malware variant is identified, a "patch" addressing this specific threat is created, distributed and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed immediately upon receiving the update from their antivirus provider. Unfortunately, the period that elapses between identification, analysis and distribution of a security patch is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although this threat has existed for several years, the widely publicized attack on Target provided the public with unprecedented clarity about how customized malware is used. In the Target breach, malware that was installed within the company's network permitted a group of Eastern European hackers to perform extensive system reconnaissance and, ultimately, to steal more than 40 million credit and debit card numbers. In addition to the cardholder data, 70 million customer email addresses, home addresses and telephone numbers were stolen. It wasn't until mid-December 2013 that an external party informed Target management of the hack so that the attack could be disrupted.

On Jan. 14, 2014, iSIGHT Partners, the vendor hired by the United States Secret Service to assist in the Target breach investigation, issued the report "KAPTOXA Point of Sale Compromise." Released with authorization from the Secret Service to assist organizations protecting against this risk, the KAPTOXA report identified the malware used in the Target attack as "Trojan.POSRAM," a previously unknown variant created by modifying the widely used "BlackPOS" signature.

The Trojan.POSRAM variant was specifically designed to extract large volumes of payment card data from point-of-sale (POS) environments, such as credit card terminals. Upon discovery and detailed analysis, experts found that this variant had a 0% antivirus detection rate. Simply put, Trojan.POSRAM facilitated the penetration of a major retailer and allowed cybercriminals to steal millions of confidential records without being detected. At the time, BlackPOS malware could be purchased on the internet for a mere $2,500.

Similar attacks are common throughout all industries. In December 2012, Imperva Research found that, after testing 82 recently discovered malware variants against the 40 major antivirus products, the detection rate was less than 5%. Therefore, despite spending $7.4 billion on antivirus products in 2011, consumers and enterprises were more at risk of a serious malware attack than ever.

Adjusting Your Mitigation Approach
The persistent and evasive nature of customized malware requires a multi-layered approach to data protection and network security. Given that antivirus products have become increasingly ineffective in preventing this form of malware from compromising global networks, enterprises can no longer rely solely on security technologies. Therefore, an approach that combines employee education, threat containment and network monitoring is necessary to reduce the risk of customized malware penetration.

Layer 1: Education
Since inbound email, phishing and spear phishing remain the most common delivery method for initiating a customized malware campaign, it is essential that enterprises provide all users with clear, practical guidance on how to identify and guard against this increasingly common tactic. Management must recognize that all users, whether they are employees, contractors or interns, are conduits for a potential malware exploit through a continuous barrage of "social engineering" overtures, usually in the form of email purporting to be from financial institutions, delivery companies or social media sites. Therefore, the most effective method of preventing an email attack is through ongoing workforce education.

This process begins with the creation and distribution of a clear, current information security policy that contains specific, practical guidance. The policy must articulate the threat in layman's terms and explain how to proceed when a phishing email appears in a user's inbox. For example:

"The opening of non-business links, attachments or executable programs, is prohibited. Opening a link or attachment may result in the installation of malicious software. Unsolicited email purporting to be from a financial institution, package delivery company or social media site often contains harmful attachments."

The next critical element of effective cybereducation is mandatory employee training. The curriculum must be aligned with, and reinforce, the information security policy. It should include a discussion of employee responsibility, an explanation of prohibited activities and a description of the consequences for those violating the policy. Employees often require clarification on various issues, so the training sessions should provide a forum for them to seek this additional information.

Without an ongoing training program, employees are more likely to engage in arbitrary and irresponsible behavior when using technology resources. Despite  mounting evidence of the importance of an educated workforce, many IT professionals unfortunately continue to minimize the policy and training components and dismiss them as extraneous "soft controls." But any organization that lacks written security guidance and a corresponding training program to reinforce these directives will remain at increased risk of a customized malware attack.

Layer 2: Containment
Although educating users will reduce an organization's risk of being compromised by a customized malware attack, it will not eliminate the threat. Enterprises must prepare for the possibility that their network may be penetrated by cybercriminals. However, a network intrusion does not automatically result in a data breach. Through effective network segmentation, intruders may be contained within "segments" that do not house or process confidential information.

Network segmentation is the process by which a network is divided into various sub-networks, allowing an enterprise to restrict access only to certain areas and to those with a clear business need. If an intruder surreptitiously enters a "flat" network-one that has not been properly segmented-they will enjoy lateral movement and may gain access to payment applications and databases storing personal information or intellectual property. In a properly segmented network, all critical technologies are isolated and the confidential data residing therein is protected. Should an unauthorized party seek access to an isolated segment, they would be blocked because they lacked the proper authentication credentials.

This is analogous to the layout of your local bank. When you walk into the lobby, your access is restricted to the teller window and perhaps the office of the branch manager. The bank does not permit customers unrestricted access from the lobby to the vault or safe deposit boxes. With the use of segmentation, intruders may gain network entry through a company's website or email server, but would be prohibited from accessing other critical areas.

Layer 3: Monitoring
Should implementation of an employee awareness program and network segmentation fail to prevent an intrusion, system monitoring allows entities to identify and disrupt malicious activity. Although customized malware is undetectable by conventional firewall and antivirus technologies, the activities initiated by this harmful software are identifiable through network monitoring. For instance, although data-scraping malware may penetrate a retailer's point-of-sale environment without detection, network monitoring would detect credit card data being exported from the infected terminals to suspicious, external locations.

Network monitoring is the continuous analysis of select components of an information system, such as customer databases, payment applications and intellectual property repositories. Although this form of oversight previously required extensive resources and manual intervention, the process has become increasingly automated and scalable.

There are several automated monitoring solutions that allow enterprises to create unique testing criteria based upon risk presence. Automated monitoring solutions are capable of generating real-time alerts of potential network threats to key stakeholders, such as internal audit, risk or information security staff. Users should program their monitoring software to generate alerts on the following system events: the escalation of user privileges, attempted access from unknown hosts, deletion or modification of data, disabling of an audit log, off-hour attempts to access sensitive applications and attempts to export large quantities of data.

It is essential that all staff to whom alerts are sent be capable of immediately evaluating the nature of the event and verifying whether the activity is authorized. The effectiveness of a network monitoring program is contingent upon the process by which alerts are addressed. Unfortunately, many enterprises implement network monitoring solutions and entrust the process to an IT generalist. Those responsible for administering the program must possess the requisite expertise to promptly evaluate an event, identify risk presence and disrupt the threat.

System monitoring, if administered by properly trained staff, provides an enterprise with a final layer of protection against unauthorized access. However, the individuals responsible for the program must be capable of managing the process and eradicating any threats.
John Moynihan, CGEIT, CRISC, is president of Minuteman Governance, a Massachusetts-based information security services consultancy.