It may seem counterintuitive, but an overzealous focus on malware may be preventing you from detecting even bigger threats.
Whether the goal of a malware attack is generating ad-clicks, creating a botnet, or doing something more damaging, no one can dispute that preventing and combating these infestations are critical for security groups. But too often, this battle can overshadow an even bigger threat to an organization: a targeted data breach, which takes a very different orientation, and set of tools, to fight.
For the most part, in the context of a targeted attack, malware is optional. If it’s used, it’s just a side tool rather than the main component of the attack. Attackers will engineer their way inside a network with or without malware, and once inside they are more apt to use utilities, a command line interface, and other administrative functions to move the data breach forward. This process is rarely automated and certainly not autonomous, which leads to:
Mistake #1: Focusing breach detection on malware detection
Because a successful targeted data breach is an iterative process in which the attacker bypasses prevention technologies, he will, by definition, bypass the security tools that deal with malware, even if he uses malware. Most of the activity will involve reconnaissance to understand the network and lateral movement to get closer to important assets.
More challenging is whether, if you detect malware, you can figure out if you’ve uncovered a targeted attack. Just by looking at malware, it is difficult to see if it might be connected to a larger attack. Also, in some cases, identifying and removing malware gives a security team a false sense of security: It keeps them busy and productive while making them think they are doing all they can to detect an active breach. But often they aren’t.
How do you avoid Mistake #1? I have two ideas:
- Focus on breach detection activities that indicate the necessary behaviors of the attacker, not technical artifacts, like malware. In order to detect active breaches, conduct ongoing behavioral analysis of computers and users, rather than sandboxing and searching for IOCs (indicators of compromise). Sandboxing is simply malware detection, and IOCs are simply signatures of known malware.
- If you do detect malware or a malicious tool, don’t end your investigation there. Many targeted attacks will use relatively simple Remote Access Tools (RATs) and malware variants such as Zeus. Ask the right questions about what is special about the specific computer in question, or its owner. Where else is this malware, tool, or utility used? What information or resources are accessible from this asset? The key to differentiating between mass malware and more targeted attacks is asking the right questions. On one hand you don’t want to waste precious resources on investigating simple malware. But on the other, if you suspect that a computer is targeted, you should try to understand the attack early in the process to enable further investigation.
Mistake #2: Focusing the remediation process on malware removal
If a security professional actually discovers suspicious behavior, simply removing malware or re-imaging a machine won’t achieve very much. In many cases when a breach is discovered, it’s difficult to understand the full extent of the problem. Generally, security organizations rush to re-image the computer or remove the malware as quickly as possible. Some even measure the time this process takes and try to optimize it. If indeed you are facing a targeted attack, then this practice doesn’t change the fact that the attacker controls your network. An attacker inside the network would usually have multiple footholds. Removing one will inform the attacker, as a side effect, that you are aware of him and destroy any evidence that you have.
So how do you avoid this mistake? Again, two ideas:
- Instead of focusing on removing the malware and re-imaging the machine, focus on the significance of the endpoint, its owner, and the detected behavior. Record the machine’s purpose, its owner, the relevant malware or program that was part of the behavior, and take a snapshot of the machine before removing the malware or re-imaging it. After the remediation is completed, keep tracking the case (user/machine/related assets).
- Second, remediation should start with triage and investigation of the suspicious behavior. It needs to be based on both network context, which gives breadth and complete visibility, and also on the endpoint context, which provides the depth and root cause analysis. Most breach detection programs implemented in organizations today will find suspicious network activity but won’t have any endpoint context, which leads to blind decisions of reimaging the machine.
It’s time to start responding to data breaches with new tools and new thinking. Don’t let malware prevention tactics become the basis of post-intrusion detection.
This article was first published in Dark Reading.