Malware: A Complex Threat Calls for Complex Controls

Malware can be challenging to remediate because it comes in an endless number of varieties and a wide range of threats, including low-end scareware, medium-level ransomware, to high-level advanced volatile threats (AVTs) and advanced persistent threats (APTs).

Ransomware made the news recently and has become a concern. This sort of infection often starts with a single user and then expands to any drives that user has access to. Once infected, ransomware can end up overwriting very important files, especially if the user has access to a company shared drive.

For retail organizations, point of sale malware has also been very common in recent years. We have seen breaches at many major retailers and will likely continue to see breaches in the future. This sort of malware scrapes the memory of the point of sale systems looking for data that matches the pattern of credit card numbers. The credit card data is then extracted from these systems and sold or utilized in fraud.

Sophisticated APT attacks are conducted by stealthy, well-resourced, well-researched, dogged adversaries intent on gaining a foothold into an organization’s IT infrastructure.

AVTs More Potent Than APTs
Then there are AVTs, which are malware that are not written to disk. Very sophisticated attackers exploit a process or service, carry out their malicious actions in the memory space of the exploited process, and then delete themselves, leaving no forensic evidence on the hard disk. AVTs do not have to reach the victim’s hard drive to deliver their payload. Traditional antivirus solutions depend on the presence of a file on the hard drive, so no evidence of malware on the hard drive makes AVT attacks more potent than the related APTs.

Malware is a business though, and most malware authors would rather stay on your computer for an extended period of time. This means that malicious programs generally save a copy of themselves to disk so that when the computer is rebooted it can start running again. There is an interesting category of AVT malware called memory-only malware. This malware resides solely in memory, thereby evading detection by the aforementioned traditional antivirus software solutions, which scans files on disk.

Creative methods have been found to achieve persistence (restarting after reboot) in memory-only malware. The most well-known in the memory-only malware family was Poweliks. This malware stored itself in the Windows registry and had some code to reload and execute that registry entry each reboot. Other pieces of malware, such as the Linux/Cdorked, featured a modified Apache binary but stored most of its code in shared memory. Since most of its logic was stored solely in memory, it was a challenge to analyze.

Controlling Malware Threats
An in-depth security policy is your best defense, including having your network and end points protected, proper access controls and network segmentation. With all of that in place, one major aspect that is often overlooked is user education. Suspicious users can save organizations a lot of money. This could cover everything from browsing habits and being wary of advertisements, all the way to suspicion of emails and phone calls. We have seen many phishing and social engineering attacks that impersonate executives and trick employees into revealing banking details or transferring money to a fraudster. A well-educated user is going to think twice before clicking a link in their email or giving away information on a phone call.

Evolution of Threats and Controls
Organizations are plugging more and more devices in and hooking them up to the Internet. From security systems to ovens, everything is “smart” and connected now. This interconnectedness brings complexity and risk. One improperly configured device or incorrect line of code can have disastrous effects. It would not be the end of the world if someone exploited your refrigerator and mined Bitcoins on it, but when organizations start hooking up medical devices and vehicles to the Internet, careful consideration needs to be given to the implications of doing so. Organizations need to ensure that the systems being built are secure.

Note:  ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX) Threats & Controls tool. The threats include APT, cybercrime, DDoS, insider threats, malware, mobile malware, ransomware, social engineering, unpatched systems and watering hole. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here.

Douglas Goddard, Analyst, Independent Security Evaluators

[ISACA Now Blog]