Free Workshop: Investigating Insider Threats — February 20-27

What is Malware?

Computer security professionals use the word “malware” to refer to a wide range of software created with the intent of doing harm to others and their data. The scope of the term is changing as bad actors continue to create new packages for infiltrating computer systems to steal copies of protected data or maybe change it with new values.

The term includes both human-directed tools like rootkits and autonomous actors like viruses, worms or bots. While all of them rely upon some form of artificial intelligence or autonomous software, they are also always ultimately working at the direction of humans.

Fighting malware has become a priority for CISOs and their computer security teams. Stealing privileged information or disrupting workflow is a preferred way for attackers to target competitors. The stolen information can be used in various ways to the detriment of the target.

There are many estimates of the value of data lost to malware attacks, and many easily reach billions of dollars. Many agree that the estimates can never be accurate or complete because it’s impossible to understand what damages may be caused by malware that goes undetected.

What are the main types of malware?

Over the years, the types of malware have tended to fall into several broad categories:

  • Viruses – These stand-alone tools can migrate from machine to machine, often replicating themselves completely autonomously. Some may communicate with a central control system, often through the Internet, but some may just continue to live without connecting to their managing system until they discover the targeted data. A number of good professional security packages track the most common viruses and many systems will scan email and other common distribution vectors to detect and delete the viruses.
  • Rootkits – These tools will make it easier for an attacker to execute commands remotely, often running as root, the most highly privileged account role on Unix machines. These are often installed after attackers gain entrance through some other means, usually to simplify future access.
  • Keystroke loggers – These may be installed in the main computer or sometimes in subordinate systems like the USB bus manager. These will track all keystrokes capturing personal data or passwords.
  • Ransomware – When these packages succeed, they will find a way to shut down a system, often by encrypting the information so it can’t be used. The attackers then demand a payment to remove the ransomware. These packages may share some of the same techniques as other malware.
  • Phishing – These look to exploit insiders and their legitimate access by tricking them into activating some extra software that will complete the attack. A common approach is to hide the attacking software inside a document that appears legitimate.
  • Adware – These packages often don’t seek to steal information, just the user’s time by sneaking in legitimate advertisements from legitimate vendors into places where it wouldn’t normally be found. The attackers then claim the revenue from displaying the ads.
  • Bot – These autonomous packages often steal computer cycles by operating in the background. These are often used for various tasks ranging from simply simulating grassroots, legitimate interest on social media to mining for cryptocurrencies.
  • Botnets – These are collections of bots that coordinate their efforts.
  • Spyware – These packages will target the user’s personal information or the user’s access to corporate data.

The list of different types of malware continues to grow as developers and hackers continue to develop new ways to access computers remotely.

What are the dangers of malware?

The dangers that malware brings to an organization depend upon the nature of the data that’s stored in their systems. Some users who only use their machines to browse the web and consume public content may not care very much if an outsider accesses their data. Simply ignoring the malware may be a practical way to save time when there’s little data of value on the system. Still, this capricious approach could be dangerously foolish if the computer is later used for sensitive operations like financial transactions.

Many organizations can’t be so cavalier. All enterprises must prevent unwanted access to their financial information because it is a prime target for thieves.

Some enterprises must pay special attention to malware because their systems store more personal and privileged data. Financial institutions, for instance, must worry about fraud and theft. Medical providers must guard their patient’s personal health data.

The dangers increase when an enterprise has known opponents. The military and intelligence services must be especially aware because malware can often be a tool of warfare. Even if no open kinetic war is unfolding, the enemies may still be actively attacking in cyberspace.

Who is responsible for malware?

While some malware packages are signed by their creators, often in a fit of foolish arrogance, the vast bulk of the known packages come from no easily accessible source. The malware authors know enough not to brag.

Some security researchers can make educated guesses that connect different attacks. Perhaps the software follows a similar pattern to an attack from the past. Perhaps large blocks of code are used. In some cases, the researchers can track the flow of the malware through the networks and local systems and they’re able to use a timeline of the attack to focus on a particular source.

What can the enterprise do to fight malware?

CISOs and response teams can fight malware both before and after any attack. Good forensic scans of the incoming data flows can often identify and quarantine malware before the attack begins. Scanners for viruses and other packages may spot the attack arriving via email or network file transfer.

Best practices suggest maintaining an active and well-trained team skilled in digital forensics and incident response (DFIR). These groups can collect evidence from operating systems to identify any malware and start the process of quarantining and removal. When law enforcement is involved, the DFIR team can gather disk images and memory dumps that can guide the investigation and maybe be offered as evidence in any trial.

How can signature and behavioral analysis fight malware?

Signature and behavioral analysis are two of the most common tools used to identify and understand malware. The first, signature, is a static process that examines the data, looking for particular patterns or strings of bytes. Then, if a new virus or worm is found, scientists look for a distinctive pattern of bytes that is rarely seen. These “signatures” are tracked in centralized databases that are shared with other teams to make it easier to find and quarantine malware. Usually, scanning for these distinctive signatures is very fast, so teams can search large volumes of data quickly and efficiently.

Behavioral analysis is more complex and involved, but it can identify more dangerous and surreptitious examples of malware. The process requires starting up the software in a protected environment, often called a “sandbox.” As the software runs, the sandbox can watch for particularly dangerous behavior like searching for private information or trying to change protected databases. While running each piece of software independently is time-consuming, it can reveal new malware that isn’t tracked in any database. It can also reveal some of the most dangerous viruses or worms that are able to rewrite themselves, essentially disguising their identity every time they replicate. These shape-shifting packages can be impossible to track with simple signatures.

Many DFIR teams use a mixture of signature and behavioral analysis. Fast, broad signature scans at the beginning can search through large amounts of stored data. If other clues point to particular files, a deeper behavioral test can find new or well-disguised examples.
How can malware be investigated?

DFIR teams confronted by a malware attack after the fact will want to investigate with a scanning tool. Open source solutions like Autopsy or professional tools like Cyber Triage are common choices for gathering either complete or targetted disk images from the infected machines.

What are the main takeaways for the C-Suite?

The savvy enterprise leadership will want to begin fighting malware before any attack with options like:

Maintaining an active security perimeter around work machines. Use increased security and partitioning for the most sensitive data.
Developing the expertise for digital forensics before any incident to ensure a quick and effective response.
Conduct regular reviews of security procedures to update practices and ensure that any internal team is well-versed in preventing the newest and most dangerous malware attacks.