Jay Butler, Senior Technical Consultant
Our client base has witnessed a significant increase in malware infections over the last half of this year. At one time, our NOC Engineers could clean an infected machine rather easily using the same tool. The cleaning process now involves an expanding array of more advanced tools that require greater expertise to be effective. Infections often require either a brand new cleaning method or at least a variation.
Chris Banta, a Safe Systems NOC Engineer, has become our resident malware expert. He always seems to step forward whenever a malware case comes in, so it has become his forte. The NOC engineers and I have learned a lot from his work, and we frequently turn to him for insight. The other day Chris and I were discussing a malware case and the implications of the current attacks. In summary, we both agreed that the newest malware easily circumvents the common defenses that have been used for years.
The traditional defenses of Antivirus and Intrusion Prevention Systems (IPS) all suffer the same core weakness. They mainly rely on knowledge of existing attacks through the use of signatures that must be constantly updated. Signatures are a sort of database of known attacks that tell the scanners what to look for. The problem is that today’s attacks evolve at a pace that often leaves these scanners in the dust. By the time a new attack is discovered and signatures are written and deployed, the attack has already infiltrated some systems at a minimum; moreover, the attack may have already morphed into something new rendering the original signature useless.
Signature based scanners were developed during a time when hackers were mostly harmless computer pros out to test their skills against each other. One guy would write code to create a new attack and another would write code to detect and stop it. These days, hackers are often professional criminals backed by powerful organizations intent on cyber-crime. They are attracted to the endless possibilities for pilfering the information age and are emboldened by the very low risk of being detected. Rather than redesign our defenses altogether, we’ve added increasingly complex security layers mostly based off the same concept of looking for what is known to be bad.
We need new tools and methodologies to defeat these criminals. Here is a short list of some technologies beyond the signature based scanners:
- Anomaly-based detection systems (or Heuristics engines) are actually widely used now and are somewhat more effective than signatures. Anomaly based solutions are not hampered by the delay in the signature based methods. Instead, an anomaly based system looks for anything abnormal, first learning what is normal for a given system. The problem is being able to decipher between the two accurately.
- Sandboxing – a technique for running software in a confined environment to restrict what it can do by preventing it from infiltrating the host system or network. Virtual Desktops can operate in this manner.
- Application Whitelisting – technology that blocks anything that has not been specifically allowed. This is an emerging technology.
- Patching – Windows patching is not enough. Maintain all known security patches for existing software particularly for Web browsers, Adobe Reader, Adobe Flash, and Java.
We are locked into a fierce battle with information pirates and I’ve written three articles this year concerning defensive strategy. The last two focused on the human factor through increasing awareness about Vishing/Smishing attacks and educating end users about how to deal with suspicious computer activity. Growing computer crime inspired those installments because of new attacks that are growing in sophistication, attacks that can circumvent our current electronic defenses. I have listed a few solutions in this article intended to bring the focus back to IT for the upcoming year. To drive the development and proliferation of new technology, we need to rethink our strategy rather than accept the status quo.