Skip to content

A not-so-secret secret….

The history lesson

In the golden days of IT security you could count the number of new viruses and malware being released into the wild per day on your fingers. This meant that engineers working for anti-virus companies were able to capture, analyse and update their products in a fairly timely fashion that managed to protect most users.

The method of detection and protection used in these anti-virus products is to generate a “signature” or pattern that allowed the product to detect and delete the malware.

As time marched on the number of malware released into the wild started to grow exponentially, outstripping the pace anti-virus companies could hire engineers to manually capture, analyse and produce signatures for their respective products. To solve this all major vendors developed (or purchased) technology designed to automate this process. Vast networks of “honeypots” exist to attract and capture malware which are fed into systems that automatically analyse the sample, produce a signature and provide it for the endpoint anti-virus to download.

In theory this process works, but has three major issues:

  • Time. The process of capturing, analysing and then distributing the signatures takes time. The time period can be anywhere from 1-48 hours.
  • AV updates. An anti-virus product cannot protect against the latest malware until it has downloaded a new set of definitions from its update server(s). In the case of travelling staff in today’s mobile workforce laptops may be disconnected from the internet for periods of time during which countless new malware will be introduced to the wild.
  • What’s the first thing most staff do when they get back online after travelling without internet? They check their emails, which quite possibly include a new form of malware which our weary traveller clicks on – all before their anti-virus product has had a chance to download and install the latest signatures.
  • “Sacrificial lamb”. The reality of signature based anti-virus is that someone, or something (honeypot), generally needs to be infected by malware before it can be detected and protections put in place. This means that if you are unlucky and get targeted first you are left defenceless by your anti-virus product.

Today we are seeing almost 400,000 new malicious programs every single day.
You can start to see the above approach is a numbers game, where eventually your business is going to fall through the cracks and get infected.

Targeted attack

Let’s take this a step further and instead look at the situation if a motivated attacker wanted to infect your organisation. For most businesses this can be achieved simply with the following steps:

Step one. Obtain malware sample that has not be used in the wild.
This sounds like it should be difficult, but believe me – this is the easy part. I’ll go further in depth on this point in a future post, but for now trust me that any reasonably clever attacker can achieve this. Remember that over four hundred thousand new malware variants are detected each day.
Step two. Get a user to run the malware.This is generally done by using a bit of social engineering, IE: sending an email containing relevant information tricking the user into performing an action or running a file. Company websites and news articles provide a wealth of information regarding company staff names, travel plans and events they are taking part in.

It doesn’t take much imagination to see a scenario where an attacker learns that CompanyX is taking part in EventY via a recent news article, so they decide to send a malicious email to a sales manager with something like:

“Hi Judy,
In preparation for the upcoming EventY, John has asked me to send you the event timeline.
I’ve attached it to this email, and I look forward to seeing you and Sam there on the day!Thanks,

Tom
EventY organiser”

Judy – Sales manager for CompanyX (name taken from company website)

John – Business owner of CompanyX (name taken from company website)

Sam – Salesman for CompanyX (name taken from company website)

It seems simple, but by personalising the scam email with accurate names, and centering it around a real event it would take an exceptionally switched on staff member to not click on the attachment. In most cases this form of targeted attack would result in successful execution of the malware.

Step three.

It seems simple, but by personalising the scam email with accurate names, and centering it around a real event it would take an exceptionally switched on staff member to not click on the attachment. In most cases this form of targeted attack would result in successful execution of the malware.

Where was your anti-virus during all of this?

It was happily sitting there telling you that everything was up to date and you were protected. Because the malware hasn’t been seen in the wild, there was no signature for it, so the product had no way of detecting the infection.

Facebook
Twitter
LinkedIn

Related Posts

Phishing has always been a threat. Now, with AI, it’s more dangerous than ever. Phishing 2.0 is here. It’s smarter, more convincing, and harder to detect. Understanding this new threat is crucial.
Looking for a more local flavour to its IT support and service, Palmerston North’s Central Business Innovation didn’t have far to go in finding the ideal partner.
With the data security of medical clients a key concern for Auckland-headquartered managed services provider Think I.T., the company turned to Advantage for the integration of its AdvantageProtect and AdvantageMDR solutions into its service offerings.