At a Cyber Security conference in Calgary, held by IQPC with CSO Digital and IT World Canada as media sponsor, Scott Stevens, Vice President of World Wide Service Provider Sales for Paolo Alto showed and interesting trend. Malware attacks, it seems, have a seasonal component. They spike at US Thanksgiving and peak during Christmas season.”
It truly is a seasonal peak as the data Stevens showed indicated. While the fall spike in activity is very pronounced, “by the 28th of December,” says Stevens, “they slow right down and are far less sophisticated. Summer is another slow time.”
Stevens didn’t have an explanation for the seasonality of malware attacks, but he presented this and other very interesting data gathered from Paolo Alto’s customer base over the past year.
Every day Paolo Alto’s Wildfire Cloud, deals with approximately 30,000 pieces of unknown malware a day. Stevens pointed out that this was up from about 1,000 pieces of malware per day several years back and it’s only a fraction of the more than 3 million files that are processed each day.
Stevens noted that the vast number of these files were PDFs, Flash and increasingly Word and similar files. These are, Stevens said, “the least dangerous” as opposed to the .exe and .dll files that represent between 3 percent and 8 percent of files uploaded and which are the most dangerous.
In fact, the proliferation of apps that are delivering malware grows each year. Beyond the usual suspects like Drop Box and SharePoint – which Stevens says are delivering more and more infected files, his study showed that “there are over 50 different file sharing applications that I’d never heard of in my life.” The “zero-day malware trend continues, over an increasing number of application types.”
Not only is the growth in files and file sharing an issue, but dealing with the source of malware traffic is difficult, to say the least. There are over 150 to 300 new DNS rules every minute – reflecting the ever-changing “command and control” traffic sites that deliver malware and malicious attacks.
The complexity, says Stevens is such that “even the anti-virus guys are giving up.”
The solution to what might be an annual overload of malware requires some different approaches. Stevens suggests that companies adopt a “zero trust architecture” to break the chain. In this model, rather than trying to identify each piece of malware, the system looks for “inappropriate usage.” Such a system uses “whitelists” to show what is available to a user, a process or even a device. When deviations from the whitelist occur, that’s the time for greater scrutiny.
Under such as system, Stevens notes, the Target breach would have been reported much earlier. While the target vendor that caused the breach, an HVAC contractor did have the authority to log into the POS system, it was uncharacteristic behaviour and in a whitelist or zero trust system would have been detected right away.
Spotting this type of anomalous behaviour – where rules are not broken but norms are violated is not only a more flexible form of security, it can trap a much wider range of problems than the simple rules-based approaches. It’s only been a few years since former Mayor Rob Ford’s medical records were “hacked” not by some malicious outsider, but by someone who had access to them, but probably should not have needed to view them.
Likewise, notes Stevens, we should also restrict technical behaviour. Limiting what servers can or should talk to each other can help contain the type of “sideways movement” that allows malware to traverse the internal network and hide in machines that are not immediately detected as breached. “While someone is going down the hall with an infected laptop,” says Stevens, “that same malware can move horizontally across a network, making it almost impossible to fully detect and remove.”
This idea of “ensuring not only that you are who you say are but that you are doing the types of things we should expect from you” allows companies to spend more time on prevention. “If we have to detect it,” says Stevens, “it makes sense that we do it before the attack is launched.” Behaviour that is in violation of a white list, says Stevens, is “either malware, inappropriate behaviour or bad policy.”
Ultimately, says Stevens, it’s not only more effective than the complex identify and block approach to malware prevention it’s a “much simpler system.” And if “we take some of the complexity out security,” Stevens says, “we’ll become more secure” – despite the growth in volume year over year and on a seasonal basis.