Guest author Kerry Davies, CEO of Abatis, discusses why a major shift is needed in the way we protect ourselves from cyber attacks.
Can your business avoid becoming a victim of a zero-day cyber attack?
You don’t really want to hear the answer, though you probably suspect it. The truth is that traditional antivirus programs, white-listing programs and other common security techniques stop only about 5% of new malware and less than 60% of malware over 1 month old.
You can minimise your exposure by adopting good practice and computer security hygiene, but a determined criminal gang or state actor can craft malware that will never have been seen before. This is called a zero-day security vulnerability — an exploitable weakness in an operating system or application program that the developers have not yet had time to fix.
Sophisticated Zero-Day Attacks
Of course, sometimes weaknesses in operating systems and application programs can exist for years without being discovered – and sometimes they are discovered but kept quiet for years (or as long as possible) to be used as cyber weapons by the criminal fraternity or state actors. A piece of malware known as RED OCTOBER or Rocra managed to hide from sight all over the world, stealing data from government, diplomatic and research sites for more than five years before being discovered.
This example is at the extreme end of what is possible when well-financed criminals or state-sponsored hackers craft malware. Another example was the STUXNET worm that was used to attack the Natanz nuclear facility in Iran. This malware contained four zero-day attacks, which is an unprecedented (some would say profligate) use of such malware– the attackers obviously wanted to make sure that Iran’s nuclear weapons programme was severely damaged.
Who wrote STUXNET? There are many rumours, but it is fairly obvious which countries stand to gain most from Iran’s nuclear weapon programme being pushed back by a few years. Of course, it is probably impossible to know for sure who did it, and this is the biggest problem with cyber warfare: ‘’attribution’’. If you can’t say with 100% certainty who landed an attack against you then you really can’t launch countermeasures yourself. This can sometimes lead to a large, powerful country being relatively helpless to respond to a non-attributable cyber-attack from a smaller, less economically powerful belligerent country – truly asymmetric warfare!
The same is also true of companies stealing intellectual property from other companies in a totally non-attributable way and thus gaining competitive advantage – business truly is war!
How Malware Disguises Itself
STUXNET and RED OCTOBER were sophisticated pieces of malware, but a less sophisticated form of zero-day attack is possible. There are tools available on the Internet known as packers which can obfuscate or hide existing malware so that it is unrecognisable to a traditional signature-based anti-virus program. This is like a criminal putting on a fake beard, hat and gloves to fool the police.
These packers come in various forms and levels of sophistication, from free to reasonably expensive with a money-back guarantee of effectiveness. So it is now fairly easy for anyone to take an existing virus, worm or Trojan Horse which has the attacker’s desired effect (e.g., the Zeus banking Trojan that is designed to steal banking details, log keystrokes and install ransomware, such as CryptoLocker) and change its appearance using a packer so that, to the signature-based anti-virus community, it appears to be a completely new and therefore benign program.
Unleashing newly packed variants of malware on the world is one of the reasons why the traditional AV vendors claim to be discovering some 150,000 new malware samples every day. These packed malware variants may not be as clever as the true zero-day exploits found in STUXNET, but they can be just as effective until the AV companies manage to isolate a sample and generate a suitable signature for it.
The AV companies are always playing catch-up with the malware writers — and unfortunately, to generate a new signature requires someone to become infected. These days it is so easy to generate new zero-day type attacks using packers that the AV companies are losing the race. More and more people, companies and government departments are becoming infected with new variants of old malware because the AV community’s model of ‘detection’ and ‘clean-up’ after infection is broken.
Time for a Change
The information security industry must accept that there needs to be a paradigm shift in its thinking – embracing new approaches to better detect and prevent malware’s impacts, rather than adding yet more layers of complexity to a fundamentally flawed AV approach.
We need a revolutionary approach to fighting malware, one that doesn’t require someone to become infected to generate an antidote (signature), one that doesn’t generate as many false positives and false negatives, and one that doesn’t require the user to download gigabytes of signature file database every day to combat the threat. There are multiple alternative approaches to improving the current state of the art. One such approach is to focus on a more immediate identification and response to malware’s effects (rather than relying exclusively on pre-emptive identification of the malware itself), negating its impact and reducing today’s long gap between infection and discovery.
Another approach involves looking at malware as a program that wants to execute on the target computer and wants to stay resident and hidden on that computer in order to continue doing its ‘bad deed’ for as long as possible. Is it possible to identify a file as a program? Yes, of course – the operating system does this with 100% certainty. After all, if the operating system does not recognise something as an executable program, it does not execute it and the machine does not become infected!
Abatis thinks that the future of malware protection will leverage these new ways of looking at malware. Abatis leverages the ring-based architecture of the operating system to prevent malware infection. Doing so can deliver a very fast, efficient and reliable protection mechanism that does not require regular maintenance and update.
These approaches are needed not just for businesses but for individuals. Even if you don’t have millions of dollars or pounds to steal, or a cache of nuclear weapons, you and millions of people like you could provide a very convenient springboard from which to launch a denial of service (DOS) attack against an online retailer in order to extort money from them. What’s more, getting onto your company’s network through your poorly protected work laptop or remotely connected home machine may well give an attacker the perfect opportunity to gain access to your company’s plans, intellectual property and bank details.
So take your cyber hygiene seriously and follow the guidance provided by the Get Safe Online campaign. Get your company to comply with your country’s version of the Cyber Essentials Scheme. I also recommend checking out the UK’s 10 steps to cyber security .
True protection requires individual vigilance — as well as an industry-wide change in protection.