The nature of the cyber attack is changing. While malware is still the name of the game for most cyber attacks, these attacks are becoming harder to spot partially because generic malware attacks have been discarded in favor of customized malware that specifically targets the organization under threat.
"It's tough to quantify," said David Shackleford, senior vice president of Research and chief technology officer at IANS in an article for TechTarget’s Security Search, "but there is definitely more customized malware seen in attacks today."
Such attacks often go unnoticed for long periods of time since the customized malware slips into a network and carries on its business quietly. Up to 92 percent of organizations that are breached by malware learn of the incident by a third party, according to a 2012 Verizon (News - Alert) Data Breach Investigation Report, highlighting the extra danger of customized malware.
The successfulness of customized malware partially might be explained by the focus on catching malware.
“We often become fixated on the malware component of the attack, perhaps because it is a tangible artifact we can see and analyze once it has been discovered," noted Lenny Zeltser, a senior faculty member at the SANS Institute (News - Alert). "It might be more useful to consider the incident in a larger context: Custom malware is usually used as part of a targeted attack where a motivated adversary strives to achieve an objective."
Organizations need to look at all aspects of the attack lifecycle, not just the malware phase. This expanded view needs to include the ability to detect and respond to incidents as they occur, using technologies such as flexible NetFlow network protocol for traffic monitoring.
"Forensic analysis helps the enterprise determine how to proceed to contain the adversary's scope of influence within the organization, remove malicious artifacts, and ultimately recover," suggested Zeltser.
A major U.S. distributor of electronic components recently stymied or at least curtailed a data breach by picking up the attack while analyzing its NetFlow data. Someone was periodically scanning large blocks of IP addresses within the company, which tipped off the distributor that something was wrong.
"We were breached," said the analyst, reported by TechTarget. "We found numerous systems infected in one of our warehouses," he added, "as well as our administrative network."
While setting up better network security monitoring is half the battle, many analysts also recommend taking a whitelist approach to security.
With a whitelist, only approved applications are able to run on the network. And if an application does something it is not supposed to do, it is immediately blocked by default.
“That's not easy all of the time, as environments change and some environments change quite often," noted Pete Lindstrom in the TechTarget piece, research director at Spire Security. "But to defend against targeted attacks, organizations need to be prudent without being scared.”
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.
Edited by Jamie Epstein