Guest Column | July 14, 2016

Warning: What You Need To Know About Malware

Vawtrak Malware Takes A “Crimeware-As-A-Service” Approach

By David Nathans, director of security, SOCSoter

Most people think if they have a firewall and some kind of anti-virus program they are good, thumbs up, no need to worry about all that cyber stuff. Unfortunately, it is this kind of thinking that makes cyber criminals so wealthy and the rate of cybercrime go up.

Additionally, small and mid-sized businesses typically believe they are too small for a cyber-attack or don’t have anything worth stealing. This thought process is perpetuated from the fact the national news does not typically carry stories of breaches to small businesses or cases where organizations loose less than a few million records. This does not mean smaller breaches are any less devastating to a business or even their customers, it just means we have been desensitized to cybercrime and it takes bigger and bigger events to turn heads.

A study performed by the Ponemon Institute of smaller businesses showed technology such as anti-virus is still much useful but cannot be depended on alone to protect against cyber-attacks. In the study, small businesses reported security issues they have encountered evade most anti-virus solutions and a more defense-in-depth approach has to be employed to gain better visibility into the business environment and network traffic.

The advanced modern threat we deal with today requires a layered defense in depth approach to securing any business. Unfortunately, the return on investment is never realized when it comes to security because, if all the tools do their jobs properly, then an incident may not occur or will be minimal at best. Therefore only metrics showing what could have been possible can be offered as proof of value.

If there is an unfortunate cybersecurity issue, hindsight will clearly show a kink in the armor — lack of vision or funding that caused the required technology to not be implemented allowing the incident to occur. This can be clearly seen when people use free versions of anti-virus products or fail to apply free security patches to their systems.

There are a few core cybersecurity concepts that, when followed, have withstood the test of time and should be implemented on every business network. First is the basic concept of defense in depth where you have firewalls protecting the external side of the network. Next is advanced network monitoring watching all the traffic on the inside. Lastly, endpoint management taking care of the individual systems as best as can be. There are many other types of technology that can be used in a business to further strengthen the company’s resilience to attack but the basic building blocks need to be there first.

As a firewall blocks direct attacks, an email can pass through the company’s firewall unchallenged, and as it is received on a user’s desktop, nothing may be detected by anti-virus because the email does not contain any previously known malicious code or executable files. Upon clicking the email attachment, a fileless malware that runs in memory, stores JavaScript to the registry, and begins to download other files and malware from the internet which is then detected by the network monitoring system. Without a defense in depth strategy this type of malicious activity would never have been spotted. What is being explained here is the simple malware variants of Solarbot, Phasebot, and even Poweliks and Kovter which are all persistent, fileless, registry-based malware and key components to ransomware we are seeing today.

As anti-virus vendors struggle to keep up and more and more threats use allowed ports on the firewall, the value of defense in depth can clearly be seen. In this example, the network monitoring system did not need to know what the malware looked like just that a system was behaving poorly.

There are many different tools out there to help clients be more resilient to cyberattacks, but without keeping the core defense in depth strategy in mind then you may be locking the front door without realizing the back door is wide open.

David Nathans (@zourick) is the director of security at SOCSoter, a Managed Security Service Provider catering to IT service providers helping to secure customers nationwide with affordable cybersecurity services and dedicated security engineers.

About SOCSoter, Inc.
SOCSoter (@SOCSoter) is a Nevada corporation headquartered in the state of Maryland since 2015. It was built to help small and medium sized businesses combat the growing business risks associated with network connected systems and applications. Service offerings include dedicated cybersecurity engineers monitoring easy to install and internally developed proprietary hardware and custom software provided free as part of the service offerings negating the need for capital expenditure by SOCSoter customers.