Reflecting on Damballa’s Q2 2014 State of Infections Report, I can’t help but to draw comparisons to the American Wild West. In today’s cyber era where seemingly anything goes, it’s still possible for the sheriff to reestablish order. Meanwhile, others on the cyber frontier are locked in a constant battle of survival trying to protect their assets against the next wave of inevitable attacks.
The Sheriff Arrives
Q2 delivered a watershed moment for the good guys who demonstrated that persistence against threat actors can pay-off. On June 2, 2014 we learned that the sheriff arrived to take-down the notorious GameOver Zeus (GoZ) botnet master and stifle use of CryptoLocker, a destructive ransomware. Dubbed Operation Tovar, the effort was led by the U.S. Department of Justice and involved law enforcement and security professional in more than 10 countries.
Damballa was grateful for the opportunity to contribute intelligence and resources to Operation Tovar. Especially considering the global scope of those impacted. GoZ infected more than 1 million devices globally and collected hundreds of millions of dollars through financial fraud. The operation culminated in criminal indictments against the threat actors and a mass public communications campaign urging victims to remove the virus from their systems.
While one crime wave was deterred, others flourished. Even as Operation Tovar was underway, Damballa saw the rise of another type of ransomware, Kovter, which tries to shock or shame victims out of money. During the height of activity in June, Kovter infections reached 43,713 on a single day. These forms of malware will persist as long as they provide easy money for criminals.
A Tale of Survival
For most enterprises, defending their networks against cyber-attacks is a daily test of will and survival. The stakes are higher than ever. CIOs and even CEOs have lost their jobs because of breaches.
Dissecting the data from Q2, you can appreciate what security teams are up against. During that time, Damballa saw enterprises with more than 200,000 devices experience just a handful of infections while smaller companies with under 600 devices had alarmingly high numbers of infections. On any given day, the ratio of active infected devices ranged from just under .1% up to 18.5%.
Why the wild swings? There are infinite reasons including the security controls in place and the behavior of the malware. For example, advanced malware may not be active every single day. It may stop communicating to its Command & Control server at any time to evade detection. Only by observing a device’s activity over time can an infection be proven with certainty. Imagine tracking hundreds or thousands of devices looking for the ones that are actually infected on any single day.
The Q2 2014 State of Infections Report offers some use cases describing factors that can contribute to high and low infection rates. As always, we caution security teams to be wary of a ‘Fool’s Gold’ approach to security. No single ounce of prevention can withstand advanced threats indefinitely. Malware will make its way into your network. It then becomes a race against time to automate the hunt for actual infections and reduce the time it takes to respond.
At the end of the day, we’re in this together. The security community must continue to fight the good fight on the cyber frontier and learn from our collective successes and failures. Damballa is more committed than ever to breaking new ground in advanced threat protection and staying ahead of threats that haven’t even been dreamed up yet.