Malware insights -- How do you stack up?
In April, Lastline launched the first of our Malscape Monitor reports, for the fourth quarter of 2017. The report analyzes data from our Global Threat Intelligence Network to provide several insights and benchmarks on encounter rates with malware that CISOs can use to measure their own cyber risk and security performance.
There are three findings that I want to elaborate on in this blog post that I think will illustrate why many of today’s threat detection technologies are ineffective resulting in increased risk of a malware infection.
External Threat Intel Feeds are Not Helpful
Most threat intelligence feeds are static attribute-based offerings that share the basic elements of a threat in a given point in time. These elements typically are files hashes, IP addresses, and domain names or URLs, all of which are easily disposable from one threat to the next.
A report delivered at the 2016 FIRST conference shows that 96 percent of domains are unique and up to 95 percent of IP addresses are unique. Data in our Malscape Monitor reinforces the one-time use of IoCs that are typically provided by treat intel services.
Samples submitted to Lastline are scrutinized and released by upstream gateway, endpoint and network security technologies. So Lastline provides visibility into the levels of advanced threats to organizations that escape detection by other defenses. We still found that two thirds (65 percent) of samples we analyzed had never been submitted to VirusTotal and were seen only once by Lastline.
It’s also telling that there is virtually no overlap across threat intel feeds, as supported by reports from Verizon and Niddel’s Machine Learning Security project. So, if you’re still interested in using external threat information to inform your security practice, you need to subscribe to all of the threat intel feeds to get a complete picture, which is an overwhelming amount of data that we have already shown is mostly unique, one-time IOCs.
The conclusion is obvious: threat information provided by external threat intel feeds has no relevance at all to the threats you will encounter. This information will not only not help to detect attacks against your network, it will also allow day-zero malware to slip past your security controls undetected. The best data for detecting breaches is your own internal data.
You Can’t Remediate What You Can’t See
Another particularly interesting finding in the report is that 90 percent of the malware we analyzed was labeled by AV solutions with generic labels such as "trojan.generic." This is malware for which the security controls that provide data to various virus submission portals did not yet provide a malicious verdict at time of submission. The recommended remediation for these files is to reimage the system or to restore from a known good backup.
The problem with this emerges when you combine this with another finding from the report. The most dangerous forms of malware in terms of potential for significant loss of confidential or regulated data have certain key characteristics and capabilities:
- Packed -- they can navigate through static analysis with the use of "Packing" technology.
- Evasive -- they avoid detection by dynamic analysis with evasion behaviors.
- Stealthy -- They compromise a host and use stealth behaviors on the victim’s system such as by masquerading as trusted system files to remain undetected.
- Theft -- They steal credentials by monitoring user activity or accessing credentials to gain subsequent access to protected data applications and systems.
Our analysis found that one in 12 malware submissions that we analyzed displayed all four of these behaviors.
Security tools that simply provide a binary assessment (good vs. bad) combined with a generic label do not have the ability to determine what behavior is engineered into the malware, and are unable to establish the specific malicious intent. This leads to incomplete remediation.
The issue with providing generic guidance is that it does not address the very significant threat posed by stolen credentials. Re-imaging a system without changing credentials does nothing to prevent the attackers from coming back through the front door.
Malware Is Getting Through Your Defenses
As I mentioned earlier, the files analyzed by Lastline have already been screened and released by upstream security tools. Despite analysis by other security technologies, we found that, of the files that other security controls allow to infiltrate network traffic, one in every 500 email or web transactions was indeed malicious.
Do the math! How many emails do your employees receive every day, and how many webpages do they visit? One in 500 of those are released by your existing security tools while still being malicious in nature.
The Solution is in The Behaviors Taking Place in Your Network
The bottom line is that external threat intel feeds just cause a lot of noise and distract your security team, while AV tools provide unhelpful labels that lead to incomplete remediation, and malware is still getting through.
The best practice for addressing all of these is to focus your analysis on internal data and use technology that can dynamically analyze the behaviors engineered into any file and transpiring across your network.
In addition to providing more detail on the findings mentioned above, the report describes some regional differences in the US, UK and DACH region in terms of the details of the malware we analyzed. You can request your copy of the report here.
Andy Norton, is director of threat intelligence, Lastline