HUNTING FREQUENT AND DANGEROUS #2: Protection against Malware, Ransomware and Zero-day exploit

In our previous articles we discovered the most common types of cyberattacks. We also learned how they are designed and how they operate. Such understanding helps us build adequate and effective protection strategies. This time we'll focus on Malware, Ransomware and Zero-day exploits.

#4 Zero-day exploits: The Chimera

As a user, you stand no chance of predicting zero-day attacks. It’s definitely a good idea if you decide to choose well-known and reliable SW vendors to use instead of freeware utilities downloaded from web. However even the biggest and most precautions companies cannot always avoid leaving unspotted hole in their systems for attackers to compromise. Not even such big names as Adobe. In fact, eight of the top 10 vulnerabilities used by exploit kits last year were Adobe Flash-related. Therefore patching must be absolutely essential component of our security strategy. Some SW flaws remain unrevealed for months or even years leaving enough time for attackers to misuse it. Just a few months ago, in October 2016, Neel Mehta and Billy Leonard of Google Threat Analysis Group reported a major bug in Adobe Flash affecting millions of users. This exploit enabled hackers to run their crafted code on systems where users opened a malicious file. Once the system was compromised, attackers could exfiltrate data, use the system to perform further attacks and more. Many Zero-day attacks start with lateral movement, which means attackers are “scanning” the network for vulnerable devices. The scanning together with subsequent communication of compromised station are activities that may be detected on network level with no knowledge of the Zero-day exploit as explained further in this article.

#5 Malware: Sneaky tiger lying in wait

Network perimeters are usually very well secured hence attackers found another way through. One of the most common and worrisome group of attacks is something we call an Inside threat. These are trying to compromise a station and make it to attack other stations within the local network, so that the attack traffic wouldn’t be detectable on network perimeter.
Network Behavior Analysis primarily focuses on communication within organization’s network and leverages machine learning, heuristics and anomaly detection to detect malicious activity. As it does not rely on signatures of known malware and thus it addresses yet undiscovered codes. This fact also means that NBA isn’t detecting a specific malware, it detects behaviour of different types of malicious activities that on the network will seem always inherently different from normal behaviour. That said, what as and administrator of such system will see - this laptop is sending SPAM, it looks like Malware. Or, this server is sending large amounts of data over ICMP or DNS, which is abnormal activity. Consequential analysis that should not take more than a few minutes will show, that it was actually a data exfiltration, which again points out to Malware infection. NBA also applies to a whole new era of file-less malware that runs in RAM and is persistent in system registry, but never actually exists as a code installed on the server, which means it slips under radars of most of Antiviruses. Activity of this latest trend in attacks can again be spotted on network level. This is as far as “artificial intelligence” applied in NBA goes today. With a little number of false positives, simplicity to operate and possibilities to automate response it should be one of the pillars of your cyber security program.

#6 Ransomware: A Pack of Hyenas

Ransomware is from the protection strategy perspective the same as Malware - it’s just another type of malicious code. So maybe just a few fun facts that I took over from

Ransomware Makes More Annually Than Security Businesses Sell For

Researchers with Bromium report that the prevalence of ransomware more than doubled in 2015 and has increased six-fold since 2013. Ransomware is so pervasive because criminals are absolutely raking it in. One estimate showed that a single flavor of ransomware, Cryptowall 3.0, made over $325 million from US victims in 2015 alone. That's more than FireEye paid for iSight Partners in January. That sale was for $200 million.

A Ransomware Bribe Equals One Car Payment

The cost to decrypt a drive struck by ransomware varies in cost, but generally averages around $500. Consider that Edmunds last year put the average monthly car payment at $483 and that gives some pretty good perspective as to how much people are willing to pay to get control back over their sweet, sweet data stores.

Prior to an attack, 4 out of 5 organizations are confident backup can provide them with complete recovery

In a survey we conducted with IT pros from over 300 organizations, nearly 100% reported they were actively backing up their data. Out of those who had not yet experienced a ransomware attack, 81 percent said they were confident they would be able to recover any data attackers encrypted from backup, without paying the ransom.

Less than half of ransomware victims fully recover their data, even with backup

Of the IT pros we surveyed who had experienced a ransomware attack, only 42 percent reported being able to successfully recover all their data from backup. Common reasons for incomplete backup recovery included unmonitored and failed backups, loss of accessible backup drives that were also encrypted, and loss of between 1-24 hours of data from the last incremental backup snapshot.  

71% of organizations targeted by Ransomware end up infected.

And I think this statement speaks for itself and doesn’t need any further explanation.

In the next episode I’ll focus on different types of DDoS attacks and most common protection strategies.