In today's network environments, malware that evades legacy defenses is pervasive, with communication and activity occurring up to once every three minutes. Unfortunately, most of this activity is inconsequential to the business. You would think that would be good news right? The problem is that incident responders have no good way of distinguishing inconsequential malware from (potentially) highly damaging malware. As a result, they spend way too much time and resources chasing red herrings while truly malicious activity slips past.
Add into the mix sleepless nights that result from compulsive viewing of malware alert dashboards showing hundreds to thousands of malicious activity alerts. With a daunting list of malware to analyse and only so many hours in the day, its no huge surprise headline making breaches are increasingly becoming the norm.
The reality is that advanced malware defense is a complex undertaking, one that requires not only the ability to detect malware — which in complex network environments is already difficult — but also to prioritize action where it will have the best security outcome. Reducing the lifecycle of an active attack by even a few days can reduce the economic impact of an attack by millions.
So how do we speed things up? Context is the antidote to uncertainty created by the plethora of malware alerts. How do you gain that context? The first step is to know what to look for. Once you understand what you need to know, you can begin to automate data collection and correlation.
With that being the case, Here are the things you should look for before deciding to take an action:
Malware comes in all shapes and forms. While majority of malware maybe content with showing your users unwanted ads or enticing them to download more free games, there is advanced malware with true intent of creating damage — targeted, sophisticated attacks. The severity of intent may vary from being part of a botnet sending spam messages all the way to targeted threats designed to steal information and create disruptions. Understanding the true intent of malware can be difficult, but there are several telltale signs that can be used as a proxy for it:
- Complexity (evasiveness): Although there are no absolutes when dealing with malware; in general, more effort in evasiveness means a more critical threat. If a piece of executable code tries "too hard" to evade detection e.g. by encrypting the payload it can be considered more dangerous than malware that did not.
- Delivery sophistication: How much effort and customization was done to deliver the malware to your organization is a great indicator of the sophistication and skills of the attacker, and is also a good indicator of intent . A malware propagating through a custom delivered message to your employees is likely more harmful than an infection that came in from a mass email.
- Questionable functionality: If malware code includes questionable functionality e.g. calls to capture keystrokes or screenshots; it is likely to be more severe.
Sign up for Computerworld eNewsletters.