The cybersecurity industry is woefully unprepared for new and unknown threats. Security solutions — whether “traditional” or “next-gen” — are too reliant on historical data (e.g., behaviour, signatures, IOCs, IOAs, ML models trained on old known malware) for threat detection. They only leverage the enumeration of badness approach which renders them unable to detect new threats on a regular basis. That includes instances when what’s “new” is actually a variant of a well-known attack, such as the latest versions of Shamoon and Emotet.
Nearly 20 years ago, the ILOVEYOU virus infected more than 500,000 systems by replicating itself via a user’s contact list. It made cybersecurity history as the first attack attached to an email (and for the $15 billion in damages it caused). Two decades later, today’s modern endpoint security solutions still struggle to identify and thwart old, known threats.
You may ask, “how can that be? My AV vendor’s product collateral promises a 99.9% efficacy rate.” The answer lies in the sheer volume of malware – both old and new – that target organisations across all industries all over the world every day.
There are now over two billion known malware in circulation, and between 500,000 – one million new pieces created every day. You cannot win against infinite odds. According to AV-Test.org, almost 140 million new malware samples were submitted in 2018. Even at 99.9% detection rate, this would leave 140,000 undetected threats, and this is just for known file-based malware.
Cybersecurity Insiders surveyed hundreds of cybersecurity professionals for its 2019 Endpoint Security Report, and found most reported an increase or significant increase in endpoint security risk likely due to the proliferation of new and unknown threats. As a result, 41 per cent indicated they would increase their endpoint security budgets, and about one third have implemented more than four different endpoint security agents, including AV, DLP, encryption and EDR.
Yet, only half of organisations believe their current endpoint security posture can stop at least 75 per cent of attacks, and another a quarter believe they can only prevent 50 per cent.
Tried and true
One big advantage the attackers hold is just how easy it is to modify and (re)launch existing malware strains, obviating the need to spend the time building new strains from scratch. You might think blocking tweaked versions of known attacks wouldn’t be difficult, but the opposite is true.
For example, Shamoon, which first appeared in 2012, remains a popular malware deployment vehicle because it’s been through a number of iterations. Notorious for wiping machines, Shamoon first struck Saudi Aramco, rendering over 30,000 endpoints unusable. It resurfaced in 2016 to again target the Middle Eastern oil industry. On December 12, 2018 the latest variant infected approximately 400 servers and 100 personal computers at Saipem, an Italian oil and gas industry contractor, resulting in significant data loss and recovery costs.
This new version acts as a dropper that is responsible for installing the wiper module on the system. The module “wipes off” system data by corrupting all files and forcing a restart that causes the system either to boot and show the “blue screen of death” or enter a perpetual restart loop. At that point, data restoration is impossible.
In the public sector, where the Verizon 2019 Data Breach Investigations Report (DBIR) states cyberespionage “is rampant,” the U.S. Department of Homeland Security (DHS) warns the Emotet Banking Trojan remains a threat five years after it was discovered due to its ability to slip past traditional endpoint security solutions.
“Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” states the DHS alert. “Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
Cops and Robbers
Even the professionals trained to stop the “bad guys” are frequent cyber attack targets. And as TechCrunch’s Zack Whittaker recently discovered, the thieves can be chillingly ambivalent about the fact they may place law enforcement professionals’ lives at risk.
Whittaker reported on a breach of three web sites associated with the FBI National Academy Associations. He interviewed one of the attackers via encrypted chat messages.
“We hacked more than 1,000 sites,” the hacker bragged. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.”
When Whittaker asked whether selling the files will put federal agents and law enforcement at risk, the seemingly unconcerned hacker replied, “probably, yes.”
Nyotron recently saw first-hand how attackers target law enforcement agencies when one of our customers, the police department of one of the largest cities in the U.S., discovered the Andromeda botnet had snuck past its traditional endpoint security solutions and infected multiple endpoint devices.
Also known as “Wauchos” or “Gamarue,” Andromeda is a strain of malware that has been around since 2011 and “lived” through five major versions. It is designed to steal credentials and to download and install additional malware onto compromised systems. It spreads in many ways including malicious attachments, phishing campaigns, via mostly dubious websites and by infected detachable storage devices.
Positive and negative
While traditional Negative Security tools and policies monitor for known malware, Positive Security solutions and processes focus on a finite set of good behaviours to proactively keep up with the ever-increasing volume of new, never-seen-before and fileless malware threats.
For instance, by knowing a baseline of finite legitimate system sequences at the OS system call level, the security team can detect activity sequences that do not follow a normative path, and prevent them from executing, no matter what vector or method an attacker is attempting to leverage. Detecting malware even after it has infected endpoint devices is critical to any organisation’s ability to eliminate “malware dwell time” – the Verizon DBIR found more than half (56 per cent) of data breaches took months or longer to discover.
If your organisation relies only on a Negative Security model, complement your security layers with an approach that does the exact opposite - ensuring what’s good. Note I use the word “complement.” I am not advocating for you to stop using your existing solutions. Although a single detection technique may not be effective, the combination of a few provide some level of protection against commodity ransomware. Combine these tools with ones that track the good by applying a whitelisting-like approach to create the most effective defence in depth posture.
Rene Kolga, CISSP, heads Product Management and Business Development for North America, Nyotron