Malware Incident Response System

Whether your company has 50 employees or 50,000, someone somewhere in the next 60 days will bring malware into your network. When it happens, what malware incident response system do you have in place to detect it or at least investigate it? Your answer had better be “it depends”.

Depending on the infection, the systems that you have in place to uncover malware may not work. This is especially true with targeted attacks which often don’t immediately risk exposing themselves. Sometimes these types of sinister programs are instructed to silently watch what is happening on its host. They take notes and then periodically phone home to the C&C in anticipation of instructions on the next course of action. These low traffic outbound connections are often done on TCP port 443 (i.e. encrypted with SSL) which means many firewalls won’t question the integrity of the connection request. You see, if the malware isn’t behaving in a way that exposes its where abouts, security professionals stand little chance of uncovering its presence.

Assume All PCs are Infected

Secure connections are perceived by many as “safe from malware” but in truth, even the bad guys have learned the benefits of an HTTPS connection. Consider this comment from the European Network and Information Security Agency (ENISA) “Many online banking systems dangerously rely on PCs being secure, but banks should instead presume all customer PCs are infected.” Secure connections are certainly a good idea but, seeing secure connections on your network does not mean that everyone is taking proactive measures to avoid compromising their computer. Hidden in those packets could be stolen confidential information.

If you don’t think you or your company has anything worth stealing, consider this; cybercrime is estimated to cost the global economy more than 400 billion dollars annually. This means that although you may not be a direct prime target, your customer lists held by your business partners as well as your personal information that is hosted by others is probably being actively targeted. The point being that it isn’t just you, it is the vendors you are sharing your information with!

More than three quarters (78%) of security professionals consider security breaches by third parties as one of their top three threats. Why? Think about innovations in technologies like mobile phones. These are seen as one of the biggest security threats due to all the applications we install and the sites we visit when we aren’t behind a firewall or running antivirus. These devices get infected and then the user walks right into the company and gets on the internal corporate network. In other words, they literally walk right past the firewall. Simply put, everyone is a target and part of the 400 billion annual theft and the problems often start with internal contagions.

Fear Internal Threats

Just about every company’s Internet protection is focused on blocking incoming malware. The bad guys know this. Today the strategy is to use social media and phishing attacks which get the user to click, download and receive infections that security appliances like firewalls perceive as something the end user wanted.
“According to Deloitte’s Global Financial Services Security Survey, 56 percent of Senior IT Executives are confident in their ability to prevent external breaches but, only 34 percent are confident in their ability to handle internal threats.” source
Of course, security vendors are taking action. Anti virus software despite marketing claims is still providing some protection from these downloads as are 2nd generation firewalls but, we can do more.

Network Behavior Analysis

Just as there is no cure for the virus that causes the common cold, nothing catches all internet threats. We can however, look for behaviors or signs that a machine is infected. This is the art of network behavior analysis (NBA).

A NBA looks for consistencies in odd behavior. For example, is the machine uploading to internet sites more than usual? Is the host moving files around internally causing traffic patterns that are abnormal? Is the host communicating with internet hosts with known poor reputations. All of these activities can be a sign that the end system is hosting malware.