2014 was riddled with major data breaches. Retailers, banks and financial institutions, government agencies, and military assets were all victimized by cyber attacks. According to a new report from CyActive titled Cyber Security’s Infamous Five of 2014, though, most of these attacks relied on known malware components that organizations should have been able to detect and avoid.
CyActive found that hundreds of millions of dollars of damage was caused using recycled malware components that have been known for nearly a decade, and that cost very little for attackers to employ. The report focuses on the degree to which these breaches could have been avoided, and the ease with which recycled malware is used to achieve maximum impact. The analysis reveals that the cost and effort required for attacks continues to decline dramatically, while the resources and effort required to detect and prevent the attacks continues to increase sharply.
An infographic that accompanies the report highlights the key findings. For example, components from five known malware families were responsible for many of the biggest attacks. Elements of Snake were re-used 12 times and Black PoS caused more than $200 million in damage using eight recycled malware components in a exploit toolkit that can acquired online for as little as $1,800. ZBerp—an attack that utilizes four recycled malware components—hit 450 financial institutions around the world.
The question organizations need to consider is how or why these attacks succeeded. The short answer is that the pervasive model of signature-based detection is flawed and unreliable. Malware developers can continue to use the same attacks and evade detection by signature-based security tools at the same time by simply making a few minor changes to the exploit code.
"This analysis makes clear how important it is for the cyber security community to focus on predictive, proactive measures to stem the tide of attacks, rather than solely reacting to them," said Shlomi Boutnaru, CyActive Co-founder and CTO, in a company press release. "Unfortunately, reactive defense remains the common denominator today, despite the overwhelming evidence of reused and recycled components seen in the most notorious attacks."
The signature model is too specific. It relies too heavily on a new attack matching previous attacks precisely. It’s time for organizations to employ next-generation security platforms that leverage threat intelligence and analyze the actual behavior of executing code rather than just giving it a pass or fail based on whether or not it matches a known signature.
Check out the full report from CyActive for more details. Let me know what you think. Does it seem reasonable to expect that the security tools we rely on to defend our networks and endpoints should be smart enough to recognize techniques and components that have been seen in prior attacks?