Today, some of the most advanced malware is used only a few times for very targeted attacks rather than the mass attacks of the past. In the past, the idea was to flood the networks with enough infected files that some of them will go through the weaker defenses.
Now, as this type of mass distribution is less effective, malware developers have created more polymorphic code where the file itself is slightly different each time it’s sent. These types of attacks are very difficult to stop early. Only when malicious action is about to be taken, security software can come into play.
Targeted phishing attempts detected
Oftentimes, initial contact with the victim is completely innocuous looking – a simple email appearing to come from someone they know just asking if they are in the office. Once the trust is established, more detailed conversation and a request to take action follows, which often includes a malicious file or link.
True advanced targeted attacks rely on a series of techniques in order to be successful—combining social engineering with computer science. Another approach is to send different payloads—often files to be opened or links to be clicked on—to probe for vulnerabilities.
How to detect advanced Malware
Be on the lookout for increased threat activity, and if you’re under a probing attack adopt a stricter posture. When you suspect that you are under possible attack, review your security systems and alerts with greater care and when the weak point is identified, your defenses will need to be strengthened.
One of the classic challenges in computer security is the need to avoid both false positives as well as false negatives—crying wolf too many times results in alarms being ignored.
Finally, continue to protect and detect at the endpoint for network anomalies such as network exploration, suspicious file transfers, communication with suspicious command and control servers, to name a few.
Signature comparison – no longer sufficient
Defenders need to deploy Advanced Threat Detection technologies such as sandboxing, network cloaking and monitoring to try to stop malware from infiltrating the organization or to detect it early, before any damage is done.
Sandboxing allows defenders to execute and observe the suspect file in the isolated environment before being allowed on the network. Consider and secure all threat vectors in order to minimize the potential for damage—start with protection of infiltration vectors—email, web, file transfer, USB.
Finally, any really valuable assets should be encrypted and keys stored securely. This way even when the network is infiltrated and the event goes undetected, the damage is limited.
In this unending race, malware is becoming more and more advanced, slipping past more and more sophisticated defense mechanisms. Malware developers tend to experiment with a lot of different methods and attack vectors before discovering the best approach to infiltrate specific defenses of the organization.
What that means is that there is no single solution to prevent even the majority of attacks.