Targets unprepared as malware-tools competition continues driving attack surge

Increasing competition between producers of Web exploit kits is keeping prices for malware-as-a-service (MaaS) offerings low – thereby guaranteeing that an ongoing flood of new malware will continue to torment largely unprepared targets, new analyses have found.

Market prices for MaaS offerings averaged around $US800 to $US1500 ($A1040 to $A1950) per month during 2014, allowing even novice malware authors to easily access specialised tools for launching “complex and highly evasive multi-stage attack”, Websense's 2015 Threat Report has warned.

These tools are providing capabilities including rapid addition of new zero-day payloads, new techniques for sandbox evasion, multi-layer obfuscation technologies, injection of malicious payloads into legitimate traffic streams, and more.

There were so many new threats online that Websense Security Labs had to upgrade its security detection capabilities in 2014, increasing its security update rate by 11.5 percent – to an average of 3.2 updates per second – to keep up with the flood of traffic.

Despite the onslaught of malware attacks, successful compromises were often detected long after the fact – something Websense attributes to a chronic lack of skilled security staff. This gap was only expected to increase as continuation of the growth in attacks compounded problems for malware targets.

To make matters worse, many of those targets are wholly unprepared to deal with even a moderate attack: new global research from security firm RSA found that 30 percent of the 170 surveyed respondents have no formal incident response plan in place – and of those who do, fully 57 percent never update or review those plans.

Over half of respondents to the company's Breach Readiness Survey had no ability to gather data about attacks and provide centralised alerting, while only half had a formal plan for identifying false positives.

More worrying still was the small number of organisations that were actively addressing vulnerabilities: just 40 percent of respondents had an active vulnerability management in place – “making it more challenging,” RSA warned, “to keep their security programs ahead of attackers”.

“People and process are more critical than the technology as it pertains to incident response,” warned Ben Doyle, Chief Information Security Officer, Thales Australia and New Zealand in a statement.

“A security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organisations improve response procedures over time.”

Despite growing success amongst security vendors that are increasingly working together to collect and disseminate what Websense calls 'Indicators of Compromise (IOC)', “the weaponization of malicious tools continues,” the company warns.

“We expect the level of sophistication that we observe in the threat landscape to continue to rise.”

To better cope with this threat, organisations should focus on threat prevention and remediation rather than trying to task IT security staff with analysing and tracking down the source of security attacks, the report advises: “truly successful cybercriminal identification often requires expertise outside of the IT skill set.”

The threat profile in 2014 included a “surprising” shift in which attack activity moved from geopolitical cyber-attacks to attacks on commercial targets that “appear to be nation-state related to disrupt economies, upset consumer confidence, or otherwise drive political agendas.”

Confounding attempts to better deal with such attacks, a bevy of techniques for evading detection were giving malicious actors “untraceable attribution”. These included the use of TOR to ensure anonymity; use of compromised Web sites owned by third parties; use of complex and one-off redirect chains; and more.

The report draws on analysis of data gathered through the company's ThreatSeeker Intelligence Cloud, which handles some 5 billion data points globally every day. Among other points, that analysis found that some 99.3 percent of all command-and-control URLs are reused between different malware samples – suggesting a high degree of commonality in their design.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags visibilityMalware authorsThreat ReportThreatSeeker Intelligence CloudIT SecuritycybercriminalsCSO AustraliawebsensersaBen Doylemalware-toolsnew malwareattack surgeMaaS

More about CSOEnex TestLabIOCRSAThales AustraliaWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts