You no doubt remember when WannaCry ransomware infected computers around the world in May 2017. You may also remember the data leak that occurred at the Japan pension fund after a targeted malware attack. These are just two examples of cyber-attacks. There are countless others. This is why companies put such great efforts into improving their security posture. But are the controls the rights ones and are they enough?
60% of new malware is undetectable
Intricate targeted attacks have been growing in recent years and it is incredible difficult to try and protect against them all. Use of targeted malware in particular cannot be detected by signature based antivirus software, making total defense impossible.
Were you aware that standard antivirus software can only detect around 40% of new malware variants? Even the latest innovation, such as AI-enabled antivirus software, cannot detect them all with detection rates of 95% at best.
This means that if you’re on the receiving end of 100 pieces of malware, you’ll only be able to detect a few dozen. That’s why all companies need to have measures in place to deal with cyber-attacks after they’ve struck as well as defending against them in the first place.
So, what does malware do once it bypasses company security controls?
We don’t always know. Once malware executes successfully it can carry out any number of activities – whether it be sitting dormant waiting for a command or collecting information and communicating with external command and control servers. To study its behavior, you have to detect the malware in action and monitor the communication with the external servers. This is the only way to understand its purpose.
Certain malware strains modify their behavior in response to the environment they are active in. This makes them difficult to test in a lab environment as the malware may not even successfully execute. To observe how malware really behaves, you have to activate it in a real environment. Of course, allowing malware to execute in a corporate environment is far too risky. So what can you do?
Luring cyber attackers using skillfully faked networks
In response to this issue, the National Institute of Information and Communications Technology (NICT) in Japan has developed ‘Stardust’ – a cyber-attack platform that lures attackers engaged in targeted attacks and observes their activities over long periods of time.
‘Stardust’ makes it possible to rapidly build networks which “recreate” the IT environments of government and corporate organizations. These then act as if they were real organizations. Once a piece of malware is active in the environment, researchers can observe it in action to see how it attempts to propagate, steal information and engage in other nefarious activities. The stealthy methods used by ‘Stardust’ cannot be detected by attackers meaning we’re able to do real-time behavioral observation and analysis.
Implementing measures to stop attacks
This type of attack behavior analysis using ‘Stardust’ is something we at Fujitsu work collaboratively on with NICT, using Fujitsu’s “Rapid Forensic Technology”. Our Rapid Forensic Technology automatically interprets and records user account names and remote-control commands from communications used during an attack.
Together these technologies make it possible to find malware and implement reactive measures to deal with it after it has executed. This provides organizations with a higher level of assurance that malware can be detected and remediated. It also reduces the effort required for these tasks compared to alternative measures.
Whilst not every company may be quite at this stage, it is vital that all organizations have the tools and procedures in place to protect their IT environments. As there’s no perfect defense, this doesn’t just mean reducing the risk of attack, it also means being able to deal with attacks should they occur. And when it comes to malware there’s lots to consider.