By Keith Bird, Managing Director UK for Check Point
Hardly a month seems to go by without a malware attack hitting the headlines, or reports of Government agencies taking down another global cyber-criminal network. This month was no exception, as the disruption of the Gameover Zeus botnet and CryptoLocker ransomware scam became front page news.
The attacks involving these malware agents, which investigators believe they have stalled temporarily, are estimated to have infected over 1 million computers worldwide. It’s easy to think that the news coverage of these high profile malware and bot attacks distorts the truth, but the statistics don’t lie. Our own 2014 Security Report found that:
• 88% of financial sector organisations had a data loss incident in 2013, up from 61% in 2012
• Despite the numerous high-profile credit card data breaches that took place in 2013, Check Point research found that the incidence of PCI data loss events in financial organisations slightly reduced to 33%, compared with 36% found in 2012
• A bot infection on the company’s network communicates with its command and control centre every 3 minutes
• A known malware variant is being downloaded to the company’s network every 10 minutes
• A new, unknown malware variant is being downloaded to the company network every 27 minutes
• The company’s network is infected with a new bot every 24 hours
The unknown malware explosion
This data highlights the increasing threat that malware poses to businesses. However if this trend is to be reversed, it is important to gain a firm grasp of why it is happening. While traditional security technologies such as anti-virus and Intrusion Prevention are effective in detecting attempts to exploit known software vulnerabilities, hackers are acutely aware of this and tailor their efforts accordingly. As a result they invest time in either testing malware against these technologies to check whether they are detected or on trying to exploit new, unknown vulnerabilities and infection methods to get through conventional security defences.
In 2013 our report found that 2.2 pieces of unknown malware struck organizations every hour, a rate of 53 every day — and 58% of organisations experienced a user downloading malware every two hours or less, a three-fold increase compared with 2012.
Two main factors were behind this sudden increase in frequency. First, attackers were employing automated mechanisms for creating evasive, unknown malware on a large scale, and then targeting organizations around the world through coordinated campaigns in order to maximise their effectiveness. Key tools used by malware authors are “crypters”. Crypters disguise executables through the use of various encryption and encoding schemes which the author can combine and re-combine to hide malware.
Second, the manual investigation and response processes usually employed to mitigate targeted attacks were unable to keep up with this high volume of incidents.
Rise of the bot
As hackers increased the sophistication of malware, our research found a corresponding increase in bot infections and activity. Bots infiltrate and move round a network quietly gathering information and communicating it to outside sources. While the theme for bot attacks and infiltration was of a lower value of smarter, more targeted attacks, for bots the converse was found to be true with high volume, high frequency and more active infestations. This not only means that organisations are struggling with the volume of attack but have to content with increased activity representing a serious threat to organisations trying to protect the security of their data and systems.
Moreover the stakes for bot infections arguable increased with the advent of a new generation of ransomware — exemplified by CryptoLocker which encrypts data on a PC and holds it to ransom for payment. An important trait of CryptoLocker is that the malware agent is bot like in behaviour and needs to find and initiate communication with a command and control server before it can begin the encryption process. This shows that bot detection can play an important proactive, preventive role in defence against malware.
Reversing the trend
This all paints a very bleak picture: it seems that as soon as one issue dealt with, several more are being created. However there are practical steps organisations can take to reduce their exposure to risk from malware and bots.
Implement a multi-layered security system
Conventional anti-virus software is no longer adequate protection against cyber-criminals. While it performs an important function in an overall security it is essential businesses implement a multi-layered approach to security. Solutions such as threat emulation, or sandboxing, provide exactly that by preventing suspicious programmes ever reaching the network. By implementing this technology organisations will relieve the burden on existing systems and reduce their potential risk of a malware attack.
Implement a dedicated bot detection solution
It is essential that companies use anti-bot detection technology to monitor and track bots that also prevents them communicating with external servers. This should include extended IPS protection that enables blocking for critical severity attacks that covers network, server and infrastructure systems provide by a variety of vendors and platforms.
The only way that a business can truly keep pace with new and evolving threats is to gather and share intelligence on new attacks as quickly as possible. Companies should like to implement such systems that provide real-time updates based on a global intelligence marketplace. By doing so, organisations will be able to update their protection in real-time reducing the risk of a successful attack.
Much like securing a car or home, there is no absolute failsafe for IT security as it’s impossible to accurately predict the lengths criminals will go to in order to gain access to sensitive information. However, by following these three steps, organisations will not only better protect themselves, but also make it harder for criminals to come up with new ways to damage IT systems and infrastructure. This won’t just stop the gap between security and criminal activity growing, but also start bridging it — delivering greater security for us all.