Malware authors are using dated measures that are still good enough to penetrate enterprise networks. In fact, 99.3 per cent of malware in 2014 took advantage of ‘command and control’ infrastructure used by at least one other malware author.
This was a key finding of Websense’s 2015 Threat Report, which found these new pieces of malware are reaching out to command and control servers and systems that have been used before.
“More than 99 out of every 100 threats are going to touch something on the globe that we have seen before,” Charles Renert, VP of research and development for Websense told CIO.
Renert said this makes it much easier for malware writers to make small changes to the overall attack infrastructure to bypass security controls and deliver the attack code through the same sources.
“So on the one hand, you get that sort of reuse, that economy of scale. On the flipside, you get a rapid variation of the ways in which users are being sent to those command and control servers. They’ll be getting brand new URLs, brand new emails, or maybe a slightly modified bit of malware – every few minutes we are discovering [new malware], we detected nearly four billion of these in calendar 2014.
“What hackers do to generally be successful is recreate and make slight adjustments across a number of different angles to fool our current security tools,” he said.
Dealing with this ‘rapid variation’ in malware attacks is a big challenge for CIOs and CSOs, said Renert.
He said although security teams can identify 99 per cent of malware attacks with existing command and control infrastructure, this still leaves one per cent or 40 million of the four billion attacks that are using new methods to escape detection.
“That’s a lot of attacks that can get through. So the call to action for CIOs and CSOs is that it’s not enough just to deploy the tools, they also need a team of experts that understands those indicators but can then generalise to how they are being attacked, what data might be at risk, and what areas of their network might be more vulnerable than others,” he said.
Renert said every organisation of reasonable size has been compromised with malware or has been taken over by a botnet that is sending command and control instructions to a network outside the corporate infrastructure.
This means organisations need to not only defend their perimeter but have validation points for everything that is coming in and going out of the network, he said.
Still, he said there’s no guarantee that all new threats are being stopped and CIOs and CSOs are battling with the expense associated with hiring the right security experts.
Meanwhile, the Websense report said redirect chains, code recycling and many other techniques are allowing malware crooks to remain anonymous, making attribution difficult, time consuming and unreliable.
Widespread use of older standards in lieu of newer and more secure options continues to leave systems vulnerable and exposed. A brittle infrastructure allows threats to expand into the network framework itself, including the code base of Bash, OpenSSL, and SSLv3, Websense said.
In 2014, 81 percent of all email scanned by Websense was identified as malicious, an increase of 25 per cent on 2013. The company said it also detected 28 per cent of malicious email messages before an anti-virus signature became available. It identified more than 3 million macro-embedded email attachments in just the last 30 days of 2014.
The report also found that only three per cent of malware uses a set of behaviours that is not common or seen by today’s sandboxes. The volume of malware threats also decreased by five per cent in calendar 2014 compared to 2013, and they are focused more on accuracy than volume.
Quiet, targeted attacks are proving to be far more effective for malware writers. These attacks are providing a greater yield than a wide scale attack which rings alarm bells for security teams to react.
“They [malware authors] are not playing the scattershot random game, they are getting in with a large body and are focusing in and targeting networks in a much more exclusive way,” said Renert.
Follow Byron Connolly on Twitter:@ByronConnolly