I am in danger of pigeon-holing, type-casting myself as The Anti-Virus Guy. That doesn’t bother me too much, when I see how the Heartland, Hannaford Brothers and RSA data breaches remained effective and undiscovered due to undetected malware. According to the 2009 Verizon Data Breach Investigations Report, 38% of data theft utilized malware (67% were aided by significant errors). According to the 2009 CSI Computer Crime and Security survey, 74% of companies experienced malware infections in 2005, with that number decreasing to 50% in 2008 but returning to 64% in 2009.
Nick Lewis, in his debriefing Operation Aurora: Tips for thwarting zero-day attacks, unknown malware said:
Never-before-seen malware is a fairly common attack vector, often used to do something that will immediately be monetized by a common criminal.
My statistically unsupported speculation (but confirmed by reviews of the Heartland, Hannaford and other breaches): most data theft can be described by the following scenario:
- a mistake was exploited (misconfiguration or vulnerability left unpatched),
- the network was hacked,
- malware was installed and
- data collected.
From this you learn that finding and fixing configuration errors and applying patches are required measures. Finding the intrusions, undetected malware and data exfiltration are also required measures.
If you have a highly mobile workforce, anti-virus software should be considered as an intrusion detection system.
Intrusion detection systems detect anomalies, typically restricting their focus to anomalous network activity. They detect anomalies; anomalies which may have been caused due to an intruder, although they rarely are. Intrusion detection systems rely upon a person to investigate and determine the appropriate action.
Anti-virus software detects malware, typically spyware or Trojan horse software. A virus (malicious code inserted in a host program) is rare. Anti-virus software has expanded its scope to include a broader range of software that you may not want running.
Learning where the detected malware came from helps you to block access to that location and helps you to learn what other programs arrived from that location. Treat malware detection alerts as suspicious activity to investigate and take appropriate action.
Network-based IDS blind spots
In a mobile workforce you cannot rely upon your network monitoring equipment to inform you about anomalous conditions. Your network-based intrusion detection system can scan internal network traffic including traffic on VPN connections. Other network traffic, out-of-company-network traffic, is outside its scope. Nonetheless, you can still gather information about anomalous events through your anti-virus software.
A network-based IDS may not map to your organizational structure. When the Network Operations Center (NOC) or Security Operations Center (SOC) receives an alert, it must be dispatched to another organization for investigation. Does the receiving organization have a mechanism for accepting work that is not customer-initiated? Can the NOC or SOC open a problem report or work ticket for the receiving organization? Is the NOC or SOC willing to do the data entry required? The problem with testing is that you eventually find something; that something means more work. Will the NOC or SOC drop the alert because it is easier to ignore?
Tracked by Swiss security team at abuse.ch. Watch statistics about detection and current Command and Control (C&C) servers.
- Lessons from the Heartland Data Breach
- Is Anti-Virus Dead?
- Web Browser Forensics
- Why Blacklist?
- Fellow Malware Travelers
- How Anti-Virus Vendors Could Improve Detection