Skip to main content

Beyond malware: why breach detection is the new normal

(Image credit: Image Credit: Balefire / Shutterstock)

Malware and the understanding of malware variants, families, and strains have been at the heart of cybersecurity research for years. As enterprises took to all things Internet to run their businesses and connect on a global scale, these infections spread. To limit the damage, anti-virus systems would be installed on individual machines, updates would be made, scans would be run, and any infections would be cleared; or so organizations thought. Increasingly however, there is an industry-wide shift happening that attempts to look not only at the initial infection, but at the potentially wide-ranging consequences that follow; all of which come down to breach detection. This change is in response to the sheer number of corporate data breaches that have taken place in recent years, proving that cyber warfare is getting cleverer at beating the old security tactics, while the rest of us are struggling to keep up. 

Malware is only one piece of the puzzle 

Put simply, malware is only one of the components of a breach. Malware is the conduit that provides capability to an attack; it can disrupt a network infrastructure, as seen in ransomware infections, or help an attacker gain long term access to a corporate system. But it’s important to remember that malware is just one element of the breach – and security efforts should not stop at its mere detection.    

Malware being detected is the first step; understanding what the attacker did afterwards is the crucial element. In contrast, breach detection is about understanding how bad an attack is once the malware has been detected. Breach detection challenges security teams to think about not only the infection, but what happened to allow the infection to take place, and what happened after.  

Using malware analysis as the jumping off point for a larger investigation into the incident allows companies to engage with a more holistic, comprehensive approach to understanding what happens around breaches, as opposed to just understanding the malware that facilitated it.   

The necessity of breach detection 

Now, we just need to understand how badly the malware has affected the company’s ability to carry out its usual organizational function. Therefore, characterization and understanding of the malware and its effects come under breach detection, to help security teams get a better understanding of their adversaries.    

And why is this so necessary? Because it aids security teams or researchers in diagnosing the severity of a cyberattack. It is of paramount importance for companies to not limit themselves to discovering who specifically has been hit, but in addition, what else is visible around that malware infection. Solving just the malware problem on an individual infected machine, for example, won’t contribute all that much to the overall security of an organization. Finding out where or how it might have spread, however, is a different story. 

Connecting the dots 

A common theme when discussing breach detection as a cyber-strategy is its compatibility with other security tools already working in the system. Many people believe that an overhaul such as this could cause friction with equipment already in place. But far from having a hindering effect, a breach detection system is likely to be a centralizing force for security teams. Many organizations will have several tools, all serving different functions:  DLP tools, lateral movement tools, anomaly detection tools, to name but a few. But, if security teams don’t have a tool that can put these functions together under one umbrella, the probability of getting lost in the details or caught chasing ghosts escalates.   

On that subject, moving towards a breach detection model also helps to change the conversation around anomalous activity, or activity that seems out of the norm that often leaves security teams scratching their heads.  Anomalous activity is not always bad, and something bad is not always an anomaly. For example, a company employee may decide to upload or download a large data set, which they haven’t done before. This is undoubtedly going to be characterized as anomalous, but it is not necessarily bad.  

A program of breach detection helps organizations to analyze the anomalies around a machine or network which is infected, which is much more effective and helps to reduce ‘alert fatigue’ much more than simply scanning for anything anomalous, and leaving understaffed security teams to sift through the mountains of data.    

In addition, by characterizing the set of anomalies associated with a verified compromised host allows the analyst to identify similar patterns across the organization, supporting a “magnification” process that might identify the elements of a larger campaign. 

Let’s not forget GDPR 

There is another factor driving the shift towards breach detection that can’t be ignored, at least not for much longer: GDPR. Because of the incoming EU General Data Protection Regulation (GDPR), an organization’s ability to identify breaches and mitigate them in a timely fashion has to become a crucial part of its compliance process in addition to protecting the user, and understanding how to mitigate the breach.    

Breach detection is the very concept that indicates how bad a breach is. Being infected with malware is one thing, but having a more complete view with breach detection could tell network defenders that the infected machine made a connection to a database it had never touched before and then uploaded it to an unknown host, thousands of miles away. This tells them immediately that this is a different type of problem altogether and allows organizations to get out in front of GDPR legislation. The more focused and relevant information that security teams have at their disposals, the easier they are likely to find complying with the European Union in the event of a breach.   

Treat the wound, not the bullet 

While there can be no doubt that the analysis and comprehension of malware is important to breach detection, remediation should not stop there. If we think about malware as the bullet, and the subsequent breach as the wound, no hospital in the world would spend more time on the bullet than repairing the damage it caused.  The same thought process should be applied to organizations’ cyber security strategies at a time when cyber criminals are clearly taking advantage of companies’ short-sightedness when it comes to securing the enterprise. 

Professor Giovanni Vigna, CTO and Co-Founder of Lastline 

Image Credit: Balefire / Shutterstock

Giovanni Vigna
Professor Giovanni Vigna is CTO and co-founder of Lastline, and a Professor of Computer Science at the University of California in Santa Barbara.