Last week, we hosted our monthly #SecChat on Stealth Crimeware. When it comes to building malware, cyber criminals are getting smarter – employing stealth techniques with malware able to self-replicate and evade detection for long periods of time. It can be costly for enterprises to remediate the damage done to infected machines and networks. During this month’s #SecChat, we wanted to find out what challenges organizations face when it comes to the prevention and detection of stealthy malware.
To start the conversation, we asked participants to share the remediation costs or impact stealthy malware has had on their organization. @Labnuke noted remediation costs often get “lost” in many organizations that are only interested in getting services restored, an observation with which both @DaveMarcus and @0xjudd agreed. @DaveMarcus asked the chat if stealth detection was realistic, considering that security technologies and malware occupy the same “space.” @Labnuke noted security technology and malware tend to hide inside of each other, and that stealth malware is effective at detecting, disabling and evading security technology. @imaguid stated that as long as malware is active it can interfere, and therefore the only way to deal with malware is to make sure it doesn’t become active. @DaveMarcus then added that he often ponders over stealth detection effectiveness while inside the OS, since rootkits know exactly how to evade traditional models.
Following this, I asked if virtual environments are inherently more or less susceptible to rootkits than traditional systems, which elicited various responses. @grap3_ap3 thought they were equally susceptible, but @0xjudd suggested that virtual machines are not more or less secure, just less targeted. @DaveMarcus thought that VM environments are neither more or less secure objectively. He pointed out that VMs have a distinct advantage in that you can monitor them from the outside, and reiterated that moving beyond the OS is important. @451wendy chimed in that it comes down to how the system is managed and controlled, not whether it’s physical or virtual.
@Labnuke then noted that the issue in physical and VM worlds is how to remediate the problem while also determining at what point the infection happened, which @DaveMarcus agreed with. @gacevedo suggested that one could use behavioral analysis to determine at which point the infection happened. @Labnuke asked how one detects bad behavior, with @securelexicon wondering what research has been done in terms of studying the use of social engineering in concert with stealth malware. @DaveMarcus countered that the question on behavioral is if there is enough information to “convict” to a specific file or event – correlation is needed.
@joshcorman made an interesting point that people are over-focused on highly replaceable/recoverable data losses instead of more serious/irrecoverable losses. @labnuke added that multiple replaceable/recoverable losses can quickly add up to serious/irrecoverable losses. @securelexicon agreed, citing a recent pentest where he discovered a malware infection that was thought to be cleared of 6 months ago. Indeed, the problem of stealthy malware is not just about data loss, and during our chat I emphasized that with “reincarnating malware,” some people might just burn an entire infected system and backup tapes too, which can be very expensive for enterprises.
As we winded down the chat, @IntelSec_Biz asked what are the biggest obstacles are that organizations face when it comes to preventing the threat of stealthy malware. @joshcorman stated that stealthy attacks aren’t even required very often since people skip basic security measures like hardening or DefPassword. @labnuke suggested that the biggest obstacle is probably awareness, and as stealthy attacks by name mean “hidden,” a drive-by taking advantage of an unhardened system can result in exploits and loss. @DaveMarcus concluded that the OS and today’s security technology methodologies are known quantities – cybercriminals know our game, and change is needed to combat stealth crimeware.
Be sure to check out our recent whitepaper with Intel on The New Reality of Stealth Crimeware. Stay tuned for our July #SecChat, and feel free to tweet at @IntelSec_Biz with any questions/feedback in the meantime.