The days of malware using randomly picked ports to copy data off of your network are long gone. So too are the days of using popularly reserved ports (such as IRC port 6667) to send commands and control malicious creations remotely.
Now every malware program works over SSL/TLS port 443 and uses industry-accepted, military-approved AES encryption. Most companies have a hard time seeing into port 443 traffic, and most don’t even try. Companies are increasingly using firewalls and other network security devices to see into 443 traffic by replacing the intruder’s 443 digital certificate with their own. But when the data in the 443 stream is further encrypted by AES, it does forensic investigators no good. It’s impenetrable gobbledygook.
Malware writers use of standard encryption is so good that even the FBI is telling ransomware victims to simply pay up. In fact if you find a malware program running on any port but 443 and not using AES encryption to cover its tracks, it’s probably by a script kiddie. Alternately, it’s been in your environment for a long time, and you only now discovered it.
Your attacker covers their tracks
Until the past few years, most companies never bothered to enable their log files, or if they did, they didn’t collect them and alert on suspicious events. But times have changed and now IT defenders would be considered negligent if they didn’t enable and check logs on a routine basis.
The bad guys have responded by using techniques, such as command-line and scripting commands, that are less likely to be picked up by event logging tools, or they simply delete the logs when they are finished. Some of the more sophisticated attackers use rootkit programs, which maliciously modify the operating system to skip any instance of their malicious tools being executed.
Your attacker has been in your environment for years
The average time a professional criminal organization has been in the victim’s company before being noticed is usually measured in months to years. I frequently work with companies that have multiple professional gangs in their company, and some have been inside for as long as eight years.
The very respected Verizon Data Breach Investigations Report frequently reports that most internal breaches are noticed by external parties. In most cases that’s because the external party was also compromised for years, and during its forensics investigation it noticed that its data or attackers were coming or going to another company as a staging point.
I’ve consulted at a few customers where the bad guy has been in the company for so long that the malware they were placing was part of the company’s gold image -- that is, every new computer included malicious software. I’ve seen Trojans and malware programs that were allowed to spread for years because the IT staff assumed it was a necessary software component placed by some other group within the same organization. Hackers love these sorts of assumptions.
Sign up for Computerworld eNewsletters.