In today's network environments, malware that evades legacy defenses is pervasive, with communication and activity occurring up to once every three minutes. Unfortunately, most of this activity is inconsequential to the business. You would think that would be good news right? The problem is that incident responders have no good way of distinguishing inconsequential malware from (potentially) highly damaging malware. As a result, they spend way too much time and resources chasing red herrings while truly malicious activity slips past.
[The processes and tools behind a true APT campaign: Overview]
Add into the mix sleepless nights that result from compulsive viewing of malware alert dashboards showing hundreds to thousands of malicious activity alerts. With a daunting list of malware to analyze and only so many hours in the day, its no huge surprise headline making breaches are increasingly becoming the norm.
The reality is that advanced malware defense is a complex undertaking, one that requires not only the ability to detect malware – which in complex network environments is already difficult – but also to prioritize action where it will have the best security outcome. Reducing the lifecycle of an active attack by even a few days can reduce the economic impact of an attack by millions.
So how do we speed things up? Context is the antidote to uncertainty created by the plethora of malware alerts. How do you gain that context? The first step is to know what to look for. Once you understand what you need to know, you can begin to automate data collection and correlation.
With that being the case, Here are the things you should look for before deciding to take an action:
Intent
Malware comes in all shapes and forms. While majority of malware maybe content with showing your users unwanted ads or enticing them to download more free games, there is advanced malware with true intent of creating damage — targeted, sophisticated attacks. The severity of intent may vary from being part of a botnet sending spam messages all the way to targeted threats designed to steal information and create disruptions. Understanding the true intent of malware can be difficult, but there are several telltale signs that can be used as a proxy for it:
- Complexity (evasiveness): Although there are no absolutes when dealing with malware; in general, more effort in evasiveness means a more critical threat. If a piece of executable code tries "too hard" to evade detection e.g. by encrypting the payload it can be considered more dangerous than malware that did not.
- Delivery sophistication: How much effort and customization was done to deliver the malware to your organization is a great indicator of the sophistication and skilles of the attacker, and is also a good indicator of intent . A malware propagating through a custom delivered message to your employees is likely more harmful than an infection that came in from a mass email.
- Questionable functionality: If malware code includes questionable functionality e.g. calls to capture keystrokes or screenshots; it is likely to be more severe.
Online services like VirusTotal can be a very handy resource for checking the reputation and intent of malware.
Targets
Although advanced attackers can make inroads into your network by having malware leapfrog around until they find what they are looking for, common sense dictates going after the threats targeting more sensitive users and devices first.
In order to do this, you need to classify the devices, networks and users in your organizations based on the criticality of the information stored on a given device or system, or by the criticality of information users have access to. This is best done by:
- Maintaining a list of critical networks and subnets in your organization
- Maintaining a list of critical Active Directory groups based on the sensitivity of users e.g. finance, data center, executive staff etc.
Use an IP address management solution or similar appliance to maintain a real-time mapping of devices, IP addresses, networks and users. This information will be critical in determining the priority of a threat when you see a malware download or command & control alert.
The source
The source of an infection is also an important indicator of maliciousness of malware. Think, who and where your biggest enemies are and if the source of the malware can be traced back to them. It will not be possible always to do so but when you can, it will immediately alert you to the severity of attack and help you with action prioritization.
[RSAC 2014: Experts discuss the harsh realities of incident response]
The simplest way to find adversaries it to try and geo-locate them based on the download URL IP address and command & control traffic IP addresses. There are several Internet resources that can help you geo-locate IP addresses and also provide associated reputation data.
Severity
With less than 10% of malware downloads resulting in an infection, there is no reason to chase after malware download alerts that have not taken hold. Therefore, knowing where malware sits in kill-chain – e.g. number of downloads, number of infections and number of command-and-control callbacks – is a clear indicator of severity and can be extremely helpful in prioritizing remediation.
If you see a lot of downloads for a malware type but no command-and-control traffic, it is likely that the anti-virus software is able to catch it or all of your systems are patched appropriately and are not vulnerable to it. On the other hand, if you see a lot off command-and-control traffic for a specific infected device, it is likely the malware is exfiltrating information or causing other damage and must be contained as soon as possible.
Remediation basics
Having a clear understanding of how to stop malware from further propagating and control the damage is critical to mitigating threats. Here are three fundamentals for threat mitigation:
- Identify and block the infection source: Once you have decided to take action, it is obvious that you use Firewall and/or Secure Web Gateway devices to block access to the URL that is hosting malware. If email is determined to be the source of malware, send out information to users to not open suspicious attachments.
- Identify and block the command and control traffic: Look at the firewall and web logs to determine the CnC IP addresses and block communications to/from these.
- Identify and clean the infected devices: This is the costliest and most painful mitigation action. Typically a device cleanup will require re-imaging a system, which is time consuming and also makes your employees unproductive as they lose access to their device during cleanup. Ensure your users take regular backups of their devices.
While high profile attacks continue to dominate the headlines, it's not all doom and gloom. There's an ever-widening set of methods for preventing and defending against advanced attacks, and while the bad guys might be evolving their methods, so are the good guys. And as clichéd as it sounds, when it comes to advanced attacks, an ounce of prevention is worth a pound of cure.
Shel Sharma is the director of product management for Cyphort.