Enterprise IT budgets have been fleshed with funds for what most consider a core defense; antivirus protection. Many others have gone by what best practice says to do and have layered in intrusion detection, host-based firewalls and anomaly detection.
Enter any organization today and you will find some type of patching going on, whether it be via an enterprise service like SMS or something as simple as automatic updates. This is usually a part of a solid vulnerability management program.
It’s taken years for organizations to get these solutions in place, all with the hopes that they have reduced risk and shaved down the attack vectors inherent to doing business. Now, just when we’re seeing organizations deploying layered security controls, the threat vectors have changed in such a way that the standards of good practice hardly do much to stop the criminals.
So what are the bad guys doing now? For openers, it is apparent that the bulk of attacks continue to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications are the vector through which attackers gain access to corporate systems.
Attackers gain unauthorized access to the victim via one of the many types of remote access and management software. These connections are provisioned to third parties to remotely administer systems. More often, an external entity compromises the partner and then uses trusted connections to access the victim. From the victim’s perspective, the attacker appears to be an authorized third party, making this scenario particularly problematic. This is especially so when trusted access is coupled with default credentials.
Most malware captures and stores data locally; captures and sends data to a remote entity; or enables remote access to or control of the infected system. Stealing credentials has been very easy to do for criminals and just as easy to push out of the enterprise because of the tiny data footprint. However, given that criminals now steal large amounts of data, it will be very difficult to send these records without being detected. Thus, today’s criminals are using the “capture and store” variety.
Attackers typically prefer this functionality for breaching payment card data and personally identifiable information (PII), since frequent exports of huge files containing millions of records is not the stealthiest of tactics. Of course, storing the payload on the victim’s systems introduces its own challenges — namely, how to retrieve it. To solve this problem, the attacker will typically open up a backdoor to return to the system undetected over the months that pass before the jig is up. It’s very common to find command shell tools on hosts that are compromised by capture-and-store malware.
Compliance is driving the malware tactics and markets.
Organizations are now adhering to PCI DSS standards in their business processes. This introduces encryption, and a variety of enhancements that protect data from the prying eyes of criminals. Organizations are beginning to store less-sensitive data as a part of normal business operations and encrypt the data they do retain. The bad guys are certainly not sitting idle and as usual, are always adapting to whatever business models are currently in use.
Traditionally, we’ve thought of stored data as files on the hard drive. Given how businesses now conduct operations, data can be scraped from places such as RAM or page files or even unallocated disk space. This presents a gap in the current protections now required of organizations.
Now, to be fair, to create malware capable of parsing RAM, considerable talent, time and money is needed. You aren’t going to find amateurs doing this. You’re going to find professional malware coders working on this for organized crime outfits. The potential for large amounts of valuable data is driving malware coders to develop this new breed of malware from scratch, which again, is never detected by current antivirus engines. This is a sobering thought, especially when you see that new varieties of malware are capable of bypassing newly deployed encryption schemes.
Not only has the enterprise changes driven new malware tactics, the black market itself has caused a shift. Because there is so much credit card data available, the price has fallen to levels where criminals had to develop ways to gather more valuable data to maintain profitability. In the case of credit card data, getting the PIN number along with the magnetic swipe data is now what’s hot. Again, memory scraping techniques are at the forefront of this new gold mine.
Given the complex nature of malware, what can you do to protect your data?
We’ve all deployed the prescribed security protections required by regulatory compliance standards. Even so, we know the bad guys are working around the clock to bypass all the efforts exerted. Knowing that firewalls, IDS, antivirus, antispyware and the variety of other point solutions aren’t nearly as effective as they once were, it’s time to really examine the business process and see if there are ways to allow only what is needed to complete the task, nothing more.
People may recognize this mindset closely with the days of dumb terminals where users were able to do only the tasks required to complete their role in the enterprise. Sadly, this seems to be one of the better ideas out there once you cut through the cavalcade of snake oil “solutions.” We know antivirus detection rates are at an all time low with 80 percent or more of the infections going undetected. It seems only logical that we treat our business processes like our own immune systems; allow only what you know and treat everything else as an infection. I can’t see any better way at the moment or in the foreseeable future.
Article courtesy of EnterpriseITPlanet.