Reports of breaches at private companies and federal agencies piled up throughout 2014. While security officials scramble to shore up defenses and shorten response time, experts say the malware threat is only going to get more sophisticated and easier to deploy in 2015.
Much of the discussion in 2014 centered on leaks from insiders, whether malicious or accidental. However, of the 10 breaches and vulnerabilities reported by federal agencies in 2014, eight were a direct result of hackers attempting to put malware on government systems.
The largest — a breach of Postal Service networks — exposed the personally identifiable information of more than 800,000 employees, including birth dates, home addresses and Social Security numbers.
In 2015, “Malware is going to become the tool of choice rather than others because it’s easy to build,” said Paul Christman, vice president of Dell’s Public Sector Software division.
“The level of sophistication for malware is going to become higher and higher and higher,” Christman said. “It’s going to become easier to construct malware out of recyclable parts that are generally available via the Internet. From that perspective, the barrier to entry for malware is going to be lower.”
In the public sphere, many of the attacks on federal networks have been attributed to state actors, with China, Russia and North Korea taking many of the headlines, along with smaller state-sponsored groups.
“We’re not in a world with two nations with fingers on the button ready to launch bombs at each other anymore,” said Rob Roy, federal chief technology officer for HP Enterprise Security Products. “We’re now in a digital world with everyone else.”
In this new reality, understanding the malware threat is about “strategic intelligence,” Roy said — knowing the actors and their motives.
The methods used in state-sponsored attacks tend to be more advanced, though the malware itself is not necessarily more sophisticated.
“The malware that comes out of China … by and large is very, very simplistic,” according to Joe Stewart, director of malware research at Dell’s information security lab, SecureWorks. “China’s approach seems to be throw a lot of basic level programmers at a problem.”
“You can either get super stealthy with something or just have enough new stuff churning that it takes a long time for anti-virus companies to catch up,” Stewart said. “That strategy of just coming up with a thousand new pieces of malware — that are all basic but are new — that works pretty well if you have enough programmers.”
While Chinese perpetrators attack en masse, other parts of the world are producing truly sophisticated intrusion methods.
“What we’re seeing is more sophisticated ways to deliver malware and hide in traffic,” Roy said.
“The quiet actors hide in the noise,” he said. A blunt, obvious attack could actually be just the tip of the spear while the more sophisticated malware “just quietly rides that traffic.”
A security manager might remediate the known intrusion and think the job is done, never realizing more sinister code was implanted during the breach.
Stewart noted while the more complicated malware attacks are just now becoming known publicly, many have been in development for five years or more.
“You can only imagine the stuff that’s being developed right now that we haven’t seen yet,” he said. “These are sophisticated groups with lots and lots of money behind them and lots and lots of expertise, they can do things that are very stealthy.”
For example, 2014 saw attacks using memory-only malware, which moves around a system executing arbitrary commands without actually writing a file to the disc.
End-memory or disc-less attack code “is almost not malware,” Stewart said, and can be very difficult to detect as there’s little — if anything — for analysts to grab onto. “Unless you have the full infection chain from beginning to end, you really can’t see what happened.”
While identifying these new attacks is hard, studying them has been problematic, as well, in part because of their rarity.
“It’s really, really hard to come by,” Stewart said. “You have to be a high-level target, you have to know you’re being targeted and you have to find that very stealthy malware.”
Once inside, hackers often use a methodical approach termed advanced persistent threat (APT).
“That’s the way sophisticated actors take down an organization,” Roy said. “A bad actor gets in and then starts siphoning information,” infecting a network piece by piece so that if one malicious code is discovered and removed, others continue working behind the scenes.
“Security is never perfect,” Roy admitted. “It’s about risk management: how to do a much better job of detecting it and shutting it down.”
Cybersecurity starts with people
While malware attacks are expected to become more advanced in 2015, so are the means for defending against them. But the first and most important is also the least technical: educating users.
Programs like continuous diagnostics and mitigation (CDM) provide security managers with a holistic view of a network, giving them the ability to spot unauthorized users and actions, presumably before extensive damage is done.
However, preventing malware from breaching a system in the first place relies on authorized users practicing proper cyber hygiene.
“Malware is only effective because of users clicking on something, doing something that they oughtn’t do,” Christman said.
Federal agencies are getting better in this regard, Christman said.
“In the federal space it’s becoming more of a consistent training effort … across all the agencies we talk to,” he said. “User education is probably going to be the hardest wheel to turn because there’s so many people but it’s also the thing that could probably bring us the biggest benefit.”
Social engineering — getting a user to give up log-in credentials through a spear-phishing email, for example — is often the first step in a malware attack.
“There are those few attacks that solely rely on social engineering and credentials. But most of the time your attackers are using tools” like malware, Stewart said. “They want more control over the network, more ability to exfiltrate data and in order to do that they really need a backdoor.”
A mix of educating users and sharing information on known threats will start to tip the scale in favor of the defenders, in Roy’s assessment.
“We’re living in an interesting time right now,” he said. “As we see the government investing in new technologies like CDM, it should be a game changer.”
But the fight will continue.
“As long as people can steal data and make use of it, [the use of malware] is going to continue to increase,” said Kevin Kelly, CEO of LGS Innovations.