Time to get more sophisticated with defense strategies against malware
Why you’re more likely to be hit by lightning than a zero-day attack
By Brian Pearce
Malware defense practices have been focused on reactive technologies: intrusion detection, content filtering, detecting and blocking files and such. Most of these solutions require draconian settings to block malware well and user complaints about the resulting restrictions eventually wear down admin resistance. Until the next bad attack.
Reactive technologies must be installed and managed with great skill to block 99.9% of attacks, so even when done well infection is possible. With the number of new malware attacks created every day, perfecting a defense against them is nearly impossible.
The attack signature count has recently doubled to over 1,600K. This is swamping the reactive solutions and their ability to detect and include each signature in their databases.
Malware attacks are a highly automated activity. Of the millions of attempts made every day, few involve a lone hacker who decides to attack a single end user or site. The best game plan is to use search and destroy programs to find thousands of relatively random, vulnerable computers into which malware can then be installed.
Time can be rented on botnets to do this across millions of IPs. The goal is to quickly get as many compromised machines as possible. This means the ‘low hanging fruit,’ or the machines that are easiest to attack. It will be compromised and the endpoints, sites, and servers that are slightly harder to crack are skipped.
An excellent protection strategy against this automated attack consists of making your site and network less vulnerable than others. It’s the old story about two people confronted on a trail by a bear. Neither of them must be able to run faster than the bear to survive. One of them simply needs to be able to run faster than the other.
Avoiding malware is a similar story. By identifying and eliminating the underlying vulnerabilities in your network hosts (endpoints, servers etc.) instead of attempting to detect and block 100% of the attacks against them, a network can be secured against threats and vulnerabilities.
So instead of trying to spot and avoid millions of variations on attacks address your relatively small and known set of vulnerabilities. Look slightly stronger than others and the attacker (typically an automated ‘bot’) will move on to their next target.
Making machines less vulnerable is not difficult. Malware uses relatively few, well-known vulnerabilities to attack your network and those vulnerabilities could be checked for and plugged relatively easily by finding and installing a missing patch, changing a vulnerable configuration, tightening up web applications.
A bot trying to attack a network with no known high or medium risk vulnerabilities will be unsuccessful and will swiftly move on to the next target.
Vulnerability Assessment and Management has been a major pillar of network security in the enterprise, networks for many years. Within just the last couple of years, medium and even small businesses are discovering the common sense of fixing their relatively few vulnerabilities rather than creating ever more layers of defense to keep them from being attacked.
Vulnerability Assessment best practice involves scanning every node on a network on a frequent, regular basis. Staffing issues may not allow fixing everything discovered, but with frequent scans done on everything, the time that is available can be spent on what is the most serious issue now.
Doing a penetration test, or having a security consultant scan your network once a year, isn’t a good plan. Scans must be done regularly, preferably weekly, if not at the least monthly.
Microsoft alone discloses many vulnerabilities every month (Patch Tuesday), any one of which can affect your organization. Networks are constantly in motion and some simple change can inadvertently create an opening for an attacker.
Periodic, frequent vulnerability scans for known vulnerabilities and fixing those few that show up, coupled with basic malware training, detection, and blocking, will be enough to prevent an organization from being compromised.
Here’s a little information about known vs. unknown vulnerabilities. While it is true that some infamous malware attacks have utilized “zero-day” vulnerabilities (new, yet undocumented or patched) these attacks are a tiny minority.
Known vulnerabilities are so prevalent that using a zero-day vulnerability to gain access to one of your computers is the equivalent of using a tank to break into your house when the back door was left open.
It is so easy to find and infect computers that have known vulnerabilities that their open market value is currently a few cents each. If you have information on how to compromise a network that nobody else knows about, would you waste it by adding more zombies to your botnet?
No. You would sell it on the open market or use it to compromise a lucrative target such as a bank, sensitive government network, or similar high-value target. The fact of the matter is that nearly all successful malware and botnet-related attacks use known vulnerabilities, many of which have been known about for months, or even years.
In conclusion, while it is ‘sexy’ to talk about reactively detecting and blocking live attacks, it is impractical. It is much cheaper and effective (if boring) to be proactive and run periodic vulnerability scans to detect the relatively easy to find, known vulnerabilities that are used to break into the network, and plug those holes before they are used by attackers.
Prevention is the key and while nothing can guarantee a complete defense against malware, hacks and internet viruses, one can still have the peace of mind knowing that there is a solution to malware.
About the Author
Brian Pearce has 8 years’ experience in Security and over 25 years of experience in Operations and Marketing in technology, internet retail and franchising. In addition to positions with Memorex and Intel he was a co-owner of an international franchise network, a principle hire in string of successful new business ventures and a founding partner of one of the first Internet advertising agencies that served Microsoft and dozens of dot.com startups in the San Francisco area. He is currently the COO and CMO of Beyond Security, a leading developer of Vulnerability Management solutions for networks, and Black Box (DAST) and White Box (SAST) testing solutions for certification centers and application developers.