Malware Mitigation Trends: Utilizing the Latest Weapons Against the Modern Malware Threat
September 08, 2010
In the malware mitigation market, there are divisions among the vendors. The perspective of the vendor, detection philosophy and technology approaches are examples of the vendors’ different views.
Most legacy network security devices have developed some semblance of controls to fight malware. Similar to the approach of traditional AV vendors, it is relatively easy for a network security device such as a content-aware firewall or intrusion prevention system, to stop identified malware once the vendor has developed signatures or detection mechanisms that look for known instances of malware "breeds". For known malware threats, this signature approach can be effective.
However, known threat detection mechanisms have been rendered less effective with the advent of the "commercial" malware market. This quickly growing black-market offers a forum for criminal enterprises to market their own malware-creation suites. Some even offer technical support.
These user-friendly, GUI-based software suites enable criminal-entrepreneurs to very easily create their own customized versions of malware. Each variation created can be encrypted and packed to create a new and unique signature for each malware package. As a result, each new malware breed requires known threat detection vendors to obtain, deconstruct and develop a new detection signature for the malware package variation in order to detect and block it. Some of the more sophisticated malware creation tools even provide a polymorphic repacking function that is executed in an automated fashion for each new victim host. Each time a new victim host is exploited, the malware creates a unique variation to transmit to the next targeted system.
Perhaps not surprisingly, this new evolution in malware development has created multiple, unpredictable variations. It also has spawned new technologies and detection philosophies based on the behavior of the new malware and/or compromised host.
One approach to combat malware is to use a virtual environment within a network device or host agent. This can enable the security device to determine the behavior of malware that is plucked off the network once it is allowed to run in this safe environment. Based on the captured malware’s behavior, the source IP address is then added to a known “bad-actor” database and optional controls can be added to restrict that infected host’s network access.
Other vendors utilize a network sensor to detect malware callback or “command and control” (CnC) traffic behavior. Once a malware-infected system is identified, steps can be taken to quarantine and decontaminate the host. The CnC traffic detection approach, however, requires accurate and timely intelligence regarding the CnC networks’ methods of communication as well as up-to-date knowledge of the active CnC networks.
Building on this, another approach to countering malware threats is to work with companies that offer malware threat intelligence services. These services can include building and maintaining databases that aggregate malware infected or suspicious IP addresses and identifying active players in malware organizations and botnet networks. Companies that provide malware threat intelligence services typically build their malware intelligence databases by infiltrating malware organizations using human intelligence efforts, performing dedicated malware reverse-engineering research, utilizing “honey-pot” networks (fake hosts and networks) and by forming alliances with Managed Security Service Providers.
It is safe to say that almost every organization has a vested interest in keeping their customers and end-users safe. By working with companies that provide malware threat intelligence services, an enterprise can drastically reduce the risk of an infected user inadvertently exposing sensitive personal information to a bot or malware agent that is active on the customer’s system. It can also integrate malware intelligence into the front-end of an application to limit access to infected hosts, or utilizing the intelligence in their log management life-cycle to notify potential compromised users before the information can be used by the criminals who control the malware agent. Numerous security vendors are beginning to utilize this type of malware specific intelligence in their products or enabling the customer to integrate this information into products.
However, another effective method is a host-based approach that can be divided into pre-incident and post-incident areas of concentration. A pre-incident approach utilizes process and tools to perform regular auditing of machines in the environment, application white listing and process behavior analysis. A number of vendors provide software solutions that offer value in this pre-incident space. This approach can present some challenges but overall, it looks promising provided the deploying organization uses an effective method to reduce the potential impact of this type of tool could have on the business during deployment. The post-incident approach utilizes investigative or forensic examination of infected machines to determine the extent and impact of a malware incident. This can be accomplished through the use of host examination tools that verify the existence of malware through memory analysis among other techniques. The use of investigative and forensic tools to safely analyze infected systems is necessary to effectively determine the extent of the breach and identify the exact data compromised. Organizations that are serious about measuring and addressing the impact of malware incidents should acquire a software suite especially tailored for the unique challenges of malware investigation or forensics.
In conclusion, the nature of the continually evolving malware threat and the criminal innovations that are taking place at a record pace require enterprises to adopt a multi-faceted approach to malware if they even hope to have a chance. Attack surface management, active controls at either the host and/or network combined with an effective investigative capability will provide organizations the toolset needed to help mitigate the impact of malware on its’ business. A countermeasure or compensating control used in isolation will likely not provide the breadth needed to cover all the possible attack vectors presented by modern malware threats.