The moment a cybercriminal targets an organisation, the victim enters a race against time. Every minute that the attacker is able to operate undetected is more time for them to compromise systems, steal data, and cause more harm to their target. The ability to detect an attack and shut it down quickly can make the difference between a minor security incident and a huge breach that costs millions of pounds, or even brings an end to the company itself.
The good news is that organisations seem to be making great strides in detecting security breaches, according to our 2017 Trustwave Global Security Report, which examines the results of thousands of our investigations into security incidents. Across the incidents we investigated in 2016, the median time from intrusion to detection of a compromise had fallen to 49 days, down from 80.5 days in 2015.
These times ranged from same-day detection to more than five years, but the overall trend is a positive one, particularly as we see the emergence of more sophisticated malware specifically designed to hide its presence for extended periods of time.
The evolution of evasive malware
During our investigations over the last year, over a third (36 per cent) of the malware we have encountered had the ability to download additional malware from a remote server. Other popular tactics included using process injection to hide within another legitimate process on the system, or implementing a remote administration function to provide the attacker with a backdoor into the system.
Another powerful technique to evade detection is the use of malware that resides in memory rather than on disk. Many traditional security measures search the system for a particular hash, and will find no trace of malware hidden in this way.
One of the more prominent examples of this technique is the PoSeidon malware family, which targets point-of-sale (POS) systems. The malware is a memory scraper program that searches the computer’s memory for data sequences that match patterns, such as a credit card number. The PoSeidon binary is a simple injector into svchost.exe, but while this still resides on disk, the credit card scraping malware only lives in memory. Alongside this, PoSeidon is also a good example of the way popular malware families are constantly evolving and being improved by the community. Despite first appearing a couple of years ago, in 2016 we detected significant new features including privilege escalation and a monitor process that ensures it remains installed and active.
Malware like this can only be discovered through memory analysis, using a memory image to determine information about running programmes. While there are automated tools available to assist with analysis, an investigation generally needs a trained and experienced professional, who will then be able to reverse engineer it to contain the breach and close the infiltration vector.
Rather than reinventing the wheel for each new attack, in many cases the criminals will apply these new techniques to a pre-existing malware family. A particularly prevalent example over the last year was the CryptXXX ransomware family. Like all ransomware it encrypts important files on the infected computer and demands the victim pay for the decryption key. Researchers managed to crack the malware several times over the last year, leading to the creation of new defences and decryption tools that allowed the victims to recover their files without paying the ransom. However, each time a new solution was published the criminals continued to update the malware to counter it, with the third iteration adding tougher encryption and credentials stealing malware into the mix.
Hunting down the threats
While the ability to respond to an incident quickly is essential, the endless innovations and evolutions of malware and tactics means the initial response must be coupled with an in-depth investigation. With new variations constantly appearing, organisations need to be sure exactly what they were hit with if they are to guarantee they are secure. The popular trend of blending malware together in a single attack means that there are frequently multiple different infections that must be tracked down and contained.
It’s also common for more advanced threat actors to launch multiple attacks simultaneously, for example using a highly visible approach such as ransomware to distract from a more covert breach elsewhere on the system. We often encounter organisations that were confident they have contained an incident, only to be hit by a secondary breach through a compromise that had remained hidden.
With good training and the right technology, an IT team can be very successful in mitigating the immediate damage of a cyber attack. However, more advanced malware strains and specifically targeted attacks will usually be difficult for most tech practitioners to even detect, let alone stop. Likewise, even if they are able to perform some effective triage work, an in-depth investigation requires a different level of skill, experience and technology.
One of the best ways to access the resources required to effectively contain and investigate an attack is to employ a managed security service (MSS) provider. This will provide a network of threat intelligence on the latest developments and attacks, and will also mean there is 24-hour access to a team of experienced security practitioners. Premium MSSPs offer Managed Detection and Response for Endpoints (MDRe) services, which allows for global teams of incident responders to threat hunt, respond to attacks, and remediate in real-time 24/7. This is the best methodology for proactive threat identification and response available in the security market today.
During our investigations, we have found that incidents which have been self-detected – either through their own internal teams or through a third-party service provider - were discovered an average of 60 percent faster compared to those found through an external party such law enforcement or a regulator. The median detection time for internal discoveries was just 16 days. Organisations that could detect breaches themselves were also able to contain the incident more quickly on average – an extremely important factor when every additional day leaves the attacker free to deal more damage.
The cyber criminals are always going to be working to stay one step ahead of security defences with new tools and tactics, making it almost impossible for any organisation to completely guarantee their safety from attack. However, those that have equipped themselves with the ability to proactively detect and investigate incidents will be in a much stronger position to beat the attacker in the race to close the breach and restore their operations.
Brian Hussey, VP of Cyber Threat Detection & Response for SpiderLabs at Trustwave
Image Credit: Balefire / Shutterstock