By Kowsik Guruswamy, Menlo Security
At RSAC 2016 we heard about a variety of different and innovative security technologies, all trying to combat the increasingly aggressive threat landscape. But one thing stayed constant: Current security technologies are failing to effectively mitigate cyber threats.
Nearly one million new pieces of malware are released daily and nearly 97 percent of malware encountered on users’ computers is unique, as criminals automatically generate variants in order to stymie defensive software.
With over one billion websites available today and over 100,000 sites added daily, the Web is the primary vector for malware to creep into an organization. Most of the time, it happens without the user or IT even knowing.
Rather than focus on creating signatures for the millions of different malware variants – which is virtually impossible – security solutions should focus on the attack vectors. Even though there are infinite strains of malware, there are only a handful of vectors, some of which include surfing the Web, Flash, phishing emails, Trojan downloads and portable document formats (PDFs).
These are the five most common ways malware can creep into your system.
Malware Vector No. 1: Surfing the Web (Malvertising)
The Web is ever changing and growing, making it one of the most commonly used attack vectors for hackers to steal users’ data. Just by surfing the Web, malware can be injected into a system without clicking on any downloads, plugins or intentionally opening any files. When navigating the Web, we put ourselves at risk. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and Web pages. In the case of the Plenty of Fish (pof.com) online dating site, ad networks serving pof.com were used as a key link in the attack chain that ultimately infected millions of visitors’ devices with the Tinba banking Trojan.
Malware Vector No. 2: Flash Vulnerabilities
Adobe Flash vulnerabilities have been increasing over the years. Hewlett Packard Enterprise states that of the top 20 malware-targeted vulnerabilities last year, half were Adobe Flash vulnerabilities. Yet roughly 20 percent of websites still use Flash. A number of high-profile website hacks have utilized Flash in the past year.
One example: the Yahoo hack, where a seemingly trusted website was infected with information-stealing malware. The method of the attack is nothing new. Based on the Angler exploit kit, bad actors place ads via Yahoo’s network, and the ads direct users to sites that have been compromised and set up to serve malware.
Malware Vector No. 3: Spear Phishing Emails
Spear phishing is one of the most common email attack vectors, where attackers disguise themselves as other employees or legitimate entities. With spear phishing, hackers target organizations for confidential or highly sensitive data. This was the case with Snapchat. Despite an email coming from an external address, neither the company’s security system nor the employee realized it was fake and payroll data was then sent to the scammer. Especially with social engineering coming into play, hackers are becoming much more sophisticated and their attacks more personalized and enticing.
Malware Vector No. 4: Web Trojan Download
We are seeing a pattern with Chrome extensions, WordPress plugins and the like; software that starts out safe is turned into malware, either through exploitation or a software update. The initial download of the legitimate software is used as a Trojan horse. When a user installs third-party software, it’s impossible for existing security mechanisms to detect if it’s malware or not. Most recently we saw a Mac ransomware that used a backdoored BitTorrent client that came in via a software update.
Malware Vector No. 5: Weaponized Documents
PDF and Microsoft Office documents such as Word and PowerPoint permeate the Web. This is something that we don’t often notice – until a critical vulnerability shows up. Popular browsers like Chrome and Firefox contain built-in viewers for PDFs, which enable document viewing to blend seamlessly with the native Web experience. But easy document viewing can come at a price. A simple click, (whether on the Web or in an email), can lead to a document that’s potentially weaponized and laden with malware.
Data breaches are costing enterprise companies millions of dollars each year, and that number won’t slow down any time soon. Security detection mechanisms look for a finite set of malware patterns, but the number of variations is infinite and impossible to effectively track.
Despite the growing sophistication, infection vectors stay constant. Every breach starts out with the same vectors, and the two largest buckets encompass Web and email. The only difference is what the malware does post-breach. If we are to begin to truly combat malware, we need to start by securing the vectors.
Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Prior to Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper via the acquisition of NetScreen/OneSecure, where he designed and implemented the industry’s first IPS. He has more than 15 years of experience in diverse technologies like security, cloud, data visualization, and computer graphics. He has 18 issued patents and holds an MSCS from University of Louisiana.