[BreachExchange] How SMBs can better protect themselves against the rising tide of cyber security threats

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 29 21:15:25 EST 2018


With an increasing proportion of their daily activities conducted
electronically, many small and mid-sized businesses are on the hunt for
ways to improve their cyber resilience.

Looming threats such as viruses, trojans and ransomware attacks are
increasing in number and sophistication and falling victim could cause
anything from temporary disruption to significant financial losses.

According to recent industry estimates, more than 640 million malware
programs have so far been identified in the wild and around 4000 ransomware
attacks are reported every day. These numbers are daunting for any business
and the trend shows no sign of abating.

As well as increasing in volume, malware has also become big business.
Criminal organisations are behind many attacks because they realise that
there is big money to be made. Some even offer their skills and experience
to less-skilled criminals to allow them to mount attacks.

Classifying malware

All malware currently in circulation can be categorised in one of three
ways: known, unknown or evasive.

Known malware is code that has been seen before in the wild and can be
identified using reputation and signature-based detection tools.
Interestingly, however, 99.9 per cent of exploited vulnerabilities are
compromised more than a year after the malware involved was initially
identified. This is because those businesses failed to deploy patches or
updates that would have made their systems secure.

Unknown malware is code that has either never been seen before in the wild
or for which no known signature exists. Almost one million new known
malware threats are released every day, often just slight variants on
existing code but sufficiently different to evade detection tools.

Meanwhile, evasive malware uses encrypted communication channels,
kernel-level root kits and zero-day exploits to slip past existing
defences. Research shows 70 per cent of all malware now includes at least
some sophisticated evasion technologies.

Read more: Maersk took just 10 days to replace 45,000 PCs wiped by NotPetya

Levels of protection

Having anti-malware tools in place means that a business will be able to
stop the vast majority of known threats that represent the bulk of all
malware in the wild.

However, when it comes to the  unknown and evasive categories, the volume
of threats might decrease however the risks associated with them increase.
Achieving effective protection against all categories of threats requires a
multi-layer approach to security.

The first layer starts with reputation analysis where all incoming traffic
is scanned for signatures as well as know malicious URLs, domains and IP
addresses. This alone will catch a large volume of known threats.

The next layer is static analysis which involves searching for common
malware patterns and elements within suspected malware. Files are scanned
to look for these attributes with suspicious code then flagged for closer

A third layer of protection uses dynamic analysis.  This involves active
monitoring of processes and actions on an endpoint to help identify malware
that is already active within the infrastructure.

The fourth layer, called deep analysis, involves techniques such as cloud
sandboxes where security staff create a virtual environment in which
suspicious code can be run to determine what it is trying to achieve.

Delivery methods

Malware, in all its forms, is delivered primarily via a network. One
widespread method involves so-called 'drive-by downloads' where a user's
browser becomes infected after visiting a compromised website.

Another common approach is phishing or spear phishing where communications
are designed to appear as though they have come from a known or trusted
source. Recipients  are encouraged to click on a link or open an attachment
which results in their device becoming infected.

A further approach is the use of malware-as-a-service and exploit kits that
have been designed to allow less sophisticated criminals to mount attacks.
Some of these have been successfully used to mount large-scale ransomware
attacks such as CryptoLocker, CryptoWall and Locky.

While malware uses networks to propagate and infect systems, those networks
can also be used to detect its presence. Tools can be deployed that monitor
network traffic and identify suspicious activity that could be an
indication of infection.

These suspicious activities could include large, unexpected data transfers,
long connection times or connections to known hostile IP addresses. Others
could be dramatic increases in the volume of traffic being blocked or a
sudden increase in new encrypted traffic.

Improving defences

To improve an SMB's ability to detect and respond to malware attacks,
what's required is a combination of two techniques: threat correlation and
threat scoring.

Threat correlation involves comparing events from multiple sources and then
cross referencing this data with the latest threat intelligence available.
This requires looking at the network and endpoints in tandem and combining
any indicators found into broader incidents. Intelligence gathered in this
way is then shared throughout the environment.

Once this has been done, the next step is to apply a threat scoring model
which helps the IT team determine which threats are significant, which can
be left for later examination, and which can be safely ignored.

By taking this approach - multi-layer protection and the combination of
both threat correlation and threat scoring - and an organisation can be
confident it has in place robust security measures that will protect
against the constantly evolving threat landscape.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180129/ddc60c18/attachment.html>

More information about the BreachExchange mailing list