Threats 101
Jonathan Crowe
Mar 2018

March Malware Madness: Pit Your Security vs. 4 Types of Attacks

malware-march-madness

It's that time of year again. If your office is like most, for the next two weeks it's likely getting swept up in March Madness. But while basketball is fine and filling out brackets is fun, there's a different type of madness you might be more worried about — the kind that compels employees to open suspicious emails, visit shady sites, and stream videos from questionable sources with even more abandon than usual. 

We're talking about click-happy malware madness. And we created a video that showcases the damage it can cause. 

Check it out below. You may even recognize the guy playing the role of "Just your average user" in his acting debut ;-)

 

 

Like the video? Take a second to share it with someone else in infosec.
Click to tweet.

While we're on the subject of malware madness, here are a couple of posts you can share with your users to help them make smart decisions and stay safe this month:

In addition, this may be a good opportunity to audit your security tools to make sure you're protected from today's most common types of attacks. More info on what those are below.

Malware Bracketology: How Many Malicious Matchups is Your Security Designed to Win?

Building up your company's endpoint security actually isn't entirely different from preparing a team to make a deep NCAA tournament run. Sound like a stretch? Hear me out. 

First, you need to make sure you have the right lineup. In security terms, that means having the right policies and solutions in place. But you can't build a lineup around handling just one type of opponent, or, in our case, just one type of threat. You need to ensure your lineup can handle a variety of attack scenarios and threats — some designed to target different vulnerabilities and weaknesses than others.

To help you get a sense of how strong your current security lineup is and what your potential gaps are, let's imagine you've been placed in a tournament where your company goes head-to-head against four different types of attacks. As in the real-life March Madness tournament, the matchups get tougher with every round.

Think you've got the right lineup in place to make it through to the end? Let's find out. 

Round 1: Your Business vs. Known Malicious Executables

march-madness-bracket-round-1.png

The first matchup in our tournament is the one your businesses should be best prepared for. At this point, known malicious executables are an opponent that's been well-scouted. Security products, including traditional antivirus (AV), have seen these programs before — they know they're dangerous and they shouldn't be allowed to run, so as long as they can recognize them they generally don't have many problems shutting them down.

As long as you have an antivirus, next-generation antivirus (NGAV), or an endpoint protection platform (EPP) with solid file scanning or other file analysis in place, you should be reasonably protected. 

Round 2: Your Business vs. Unknown / Polymorphic Malicious Executables

march-madness-bracket-round-2-1.png

Things start getting trickier in Round 2. Attackers have long realized traditional AV solutions primarily rely on checking file signatures against blacklists in order to identify and block malware, and they understand that's not a very scalable approach. 

Malware authors have responded by dramatically increasing the volume of new malware they're creating (often simply tweaking existing malware just enough to make it appear new or unrecognizable to AV scanning engines). Others are utilizing polymorphic techniques, for example programming malware to create new, unrecognizable copies of itself each time it lands on a new machine.  

Both approaches have been successful at evading traditional AV, and as a result, NGAV and EPP solutions that utilize machine learning to analyze file attributes and more accurately predict whether unknown files are malicious have gained traction. 

Because there are many different approaches to utilizing machine learning, and because it's becoming increasingly common for vendors to say their product leverages it, it's worth digging deeper and asking vendors specific questions to get more details. 

For more on how machine learning actually works, see our post Beyond the Hype: What Machine Learning Really Means for Endpoint Security

Round 3: Your Business vs. Weaponized Documents / Malicious Scripts

march-madness-bracket-round-3-1.png

The previous two rounds have been all about testing your company's defenses against malicious executable files, but what about attacks don't utilize malicious .EXE's? 

Attackers are constantly probing for new weaknesses, and AV/NGAV reliance on file scanning is a limitation they're only too happy to work around. One technique in particular that has been gaining popularity is weaponizing document files (Microsoft Office files, PDFs, etc.) by using them as vehicles to launch malicious scripts. 

The most common example is embedding a malicious macro inside a Word document. Because macros typically require user interaction to launch, AV/NGAV solutions aren't able to scan these documents effectively. And because so many businesses rely on Office docs, the majority of the time they also can't be blacklisted.

In addition, attackers are also increasingly abusing PowerShell, a powerful scripting framework that comes installed on every Windows machine. PowerShell can be abused to carry out a wide variety of malicious activities, and in some cases, no executable files are ever written to disk. That means that in order to detect and block these attacks, businesses need to use security solutions that are equipped with behavioral protection expressly designed to limit and prevent scripting abuse

 

Round 4: Your Business vs. Local Exploits / Malicious Behavior

march-madness-bracket-round-4-1.png

If you've made it this far, congratulations! Your company is ahead of the game on a few really important fronts, but you're not ready to claim victory and cut down the nets just yet.

While the rounds above have tested your company's ability to prevent malware delivery, there are still situations you need to prepare for that assume attackers have somehow gained access to one of your machines. Whether it's exploiting vulnerable software you haven't had a chance to patch, or gaining access via an exposed port you haven't had a chance to properly secure, as long as there are attackers out there incessantly probing for cracks, there's the possibility they're going to find one. 

An entire subset of security products — endpoint detection and response (EDR) solutions — has emerged catering to this "compromise is inevitable" attitude. But the majority are tailored exclusively to enterprises with large security teams who can effectively manage their complexity. They also primarily operate by highlighting potential indicators of compromise, meaning any malicious activity they spot is already doing damage. 

In contrast, Barkly provides real-time protection that operates upstream of EDR solutions, monitoring system activity down to the CPU and blocking malicious behaviors before they have a chance to cause any damage. That includes blocking attempts to hijack legitimate, built-in Windows tools and processes — a tactic attackers use to evade detection and bypass whitelisting.  

So in summary, yes, the bad news is attackers are constantly working on new ways to compromise machines while evading detection, but the good news is you don't need a complicated threat hunting solution or a SOC team full of security experts to sniff them out. You can prevent a large number of sophisticated attack techniques simply by following this list of best practices and leveraging an easy-to-deploy and manage solution like Barkly.  

Don't Let Counting on Antivirus Ruin Your Bracket

Attacks have evolved, and the truth is relying solely on AV will only get you so far. To get more details on the types of threats you may be vulnerable to, and learn why the majority of IT pros are replacing or augmenting AV, download your free copy of our AV Gap Analysis

Bonus: Download the whitepaper between now and March 31and you'll be entered to win a Nintendo Switch. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.