According to the Websense Labs 2015 Threat Report, the rise of Malware-as-a-Service (MaaS) is helping small-time threat actors to launch large-scale attacks on networks through the sales of attack deployment kits and the ability to purchase or subcontract certain portions of the attack process.
In addition, hackers are relying more on attacks that combine tried-and-true procedures with new ones, which has significantly increased evasiveness. The report indicates that 99.3 per cent of malicious files employed a Command and Control (C&C) URL that had already been used by other malware developers. A further 98.2 per cent of malware makers used C&Cs found in five other malware variants.
But despite the increased craftiness of these individuals, it is still very possible for enterprises to mount a proper defence against threats. Carl Leonard, principal security analyst for Websense spoke to IT in Canada about the findings of this report, and what it means for the business world.
IT in Canada: Why has it become easier for threat actors to carry out attack procedures?
Leonard: Over the last few months, we’ve noticed that cybercrime has become easier to conduct. There are also a wide range of malware kits available to them. We actually tracked three times the number of exploit kits in 2014 as we did in 2013. They’ve now got a range of tools that are very effective at deploying malicious code in front of end users.
Not only that, but we’re finding that level of skill required to conduct these attacks has been reduced, primarily because of the abundance of tools that are available has increased. The malware authors are enjoying capabilities that that haven’t previously been able to utilize. When you combine that with evasion tactics at various points within the threat lifecycle, that’s the recipe for success.
ITIC: What led to the rise of Malware-as-a-Service?
CL: Increased competition in the marketplace. We know that cybercriminals are out to make a profit; they see that there is a market for these (exploit) kits. Other malware authors are now seeing that there is a void, and they have been peddling these kits. The cybercriminals are realizing the benefits of these enhanced and improved kits, and at Christmas time, we saw two of the most popular kits enhanced with evasion tactics to get past security solutions.
The competition in the marketplace has been a driving factor, and the success is clear. If an organization isn’t protecting themselves, then the malware authors will be successful in their data theft attempts.
ITIC: Why does the majority of malware rely on a Command and Control infrastructure?
CL: The Command and Control infrastructure is used by malware authors to obtain a degree of influence into what the infected machine is doing, and what data it is sending back. When a malicious file is dropped onto an end user machine, the malware authors want to retain that infected machine for their purposes, and they might diversify those purposes. It could be used as a back door into a network, and perhaps a day later, they could use it to send out spam.
The instructions that the malware author sends through to a machine via the Command and Control infrastructure allows them to repurpose this machine. They can actually trade that machine for a set of infected machines to another malware author who might have a different purpose in mind. His instructions could be administered through that standard Command and Control infrastructure.
ITIC: How can malware groups be identified?
CL: We have seen that majority of malware only uses six different methods to manipulate the infected machine. The malware authors have realized that they don’t have to do so much in order to be identified. Instead, they perform a minimal amount of actions that they can get away with, which allows them to remain under the radar. If you’re looking at the behaviour of a firewall, that gives you a good chance to observe exactly what those actions are.
I think one thing that we’ve certainly learned by conducting the analysis for this report is that it’s not always wise to focus just on the malicious payload; you can actually identify find the beginnings of a threat by looking at the lifecycle early on, and that could well be the actual website that dropped that malicious file. Or it might be an email threat that led the end user to open an attachment or exposed their vulnerability to that file.
If you identify threats earlier in the lifecycle, that’s how you can actually identify a malware group before it’s even got to the stage of manipulating your infected machine.
ITIC: Why does it appear that users have been desensitized from clicking potentially harmful links in emails?
CL: This is very interesting, as it talks about how end users can be manipulated, and the technology that warns them of a particular threat can actually work up to a point.
We’ve see that when we’re able to warn end users that a URL in an email is malicious, around one-third of them still tried to click on it. That’s quite a lot when you think that end users can actually play a role in having the first encounter with a threat because they’re being socially engineered and they’ve been tricked into performing some action. Yet a third of end users still try to follow through.
The issue to that is that when you expose end users to too many warnings, and if you don’t control their behaviour successfully, they can then become dismissive of those warnings. Similarly, when we download some software or an app onto our phones, we don’t often read all of the terms and conditions. We don’t necessarily check what permissions the app is requesting; we just want to get that app or software without necessarily thinking about the consequences. The same issue exists with malicious threats.
ITIC: The report indicated that the total volume of threats decreased 5 per cent in 2014 from 2013. Will this trend continue in 2015?
CL: We believe that the malware authors focusing on quality rather than quantity. Because of the tools that they have available, they are able to conduct more effective and more advanced threats with a lower barrier to entry. The threats themselves are becoming more adept at utilizing evasion tactics, so it’s like the attacks they do employ are better and more successful at breaching organizations.
The malware authors realize that if they can cross that threat lifecycle using these different evasion tactics, the security solutions will really struggle to protect against these newer, more advanced threats that we saw in 2014 and through to 2015. They are enjoying success right now, and we’re seeing many news items about how malicious actors have managed to get a hold of user database login credentials.
I believe this threat style will continue into the next year, and I think that they’ll continue to adapt the arsenal of tools they use to continue their success because after all, they need to make a profit.
ITIC: What is Websense doing to help businesses combat malware-related issues?
CL: We’ve actually done a lot of work in area of combining a tactical and strategic approach. We can identify these indicators of compromise, which includes the specific infrastructure, specific emails, and the websites involved in a particular attack.
We allow our customer base to be protected from threats because when you combine multiple data feeds, you can get a really good sense of the lifecycle of the attack. And if you’re able to intercept that threat during any part of its lifecycle, then you’ve taken the necessary action to protect against that threat coming through.
We were able to intercept 3.95 billion threats in 2014, but we’re also doing work in the realm of user education so the end users are warned. If we’re thinking about the glass being half-full, two-thirds of users do respond to these warnings. They can help IT teams, and through our Security Operations Centre, we can provide actionable intelligence so that the trending analysis is understandable. There’s actually some work that the internal IT team can do based off of this analysis to enhance their security posture, going forward.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…