Getting a Handle on the Scale of Modern Malware

Targeted, custom and polymorphic malware is obviously a top concern for security teams. A steady drumbeat of high profile breaches and revelations of highly sophisticated attacks driven by nation-states has burned this risk into the minds of everyone from the wiring closet to the boardroom. This has led many organizations to aggressively pursue new technologies and solutions that can help identify malicious files even in the absence of a known signature. This is great progress, but it has uncovered a challenge that many security practitioners didn’t expect – unknown malware isn’t all that rare.

Even forward-leaning organizations that have adopted new technologies to detect unknown malware still rely largely on manual investigation and remediation once the malware is detected. Given the scale at which large malware operations are run, a security team can quickly be consumed responding to wave after wave of malware variants to the point that they miss the truly targeted attack hitting their network. Ultimately, we need to realize that these are different threats that require different process and response. Where possible, we must automate our defenses against automated threats, including those that are unknown, so that our manual response can be focused on the true targeted and highest risk threats.

In the recently announced Modern Malware Review, I had the opportunity to analyze more that 26,000 seemingly unique samples of malware collected in real enterprise networks. All of these samples were tested against multiple antivirus solutions and there was no coverage at the time they were detected. However, on closer inspection, some of these samples were not so unique after all. If we looked beyond the superficial characteristics of file name and hash value, and dug into the payload of the malware itself, we quickly saw that over 40% of these samples were related.

In addition to looking at the payload of malware, we can also see patterns in the behaviors of malware. This was especially apparent when observing malware communication tactics. Malware traffic is typically quite anomalous when compared to regular network traffic. Thirty percent of malware samples were observed to generate custom or otherwise unknown traffic as part of their command-and-control traffic.

These are obviously just starting points, but the concept is certainly one that is extensible, and ultimately necessary in my opinion. Security evasion and customized malware has become mainstream for attackers of all skill levels, and we will always lose if we attempt to fight an automated threat with a manual response.

Get Your Copy of Palo Alto Networks Modern Malware for Dummies!

via Getting a Handle on the Scale of Modern Malware ‹ Palo Alto Networks BlogPalo Alto Networks Blog.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: