With an increasing proportion of their daily activities conducted electronically, many small and mid-sized businesses are on the hunt for ways to improve their cyber resilience.
Looming threats such as viruses, trojans and ransomware attacks are increasing in number and sophistication and falling victim could cause anything from temporary disruption to significant financial losses.
According to recent industry estimates, more than 640 million malware programs have so far been identified in the wild and around 4000 ransomware attacks are reported every day. These numbers are daunting for any business and the trend shows no sign of abating.
As well as increasing in volume, malware has also become big business. Criminal organisations are behind many attacks because they realise that there is big money to be made. Some even offer their skills and experience to less-skilled criminals to allow them to mount attacks.
All malware currently in circulation can be categorised in one of three ways: known, unknown or evasive.
Known malware is code that has been seen before in the wild and can be identified using reputation and signature-based detection tools. Interestingly, however, 99.9 per cent of exploited vulnerabilities are compromised more than a year after the malware involved was initially identified. This is because those businesses failed to deploy patches or updates that would have made their systems secure.
Unknown malware is code that has either never been seen before in the wild or for which no known signature exists. Almost one million new known malware threats are released every day, often just slight variants on existing code but sufficiently different to evade detection tools.
Meanwhile, evasive malware uses encrypted communication channels, kernel-level root kits and zero-day exploits to slip past existing defences. Research shows 70 per cent of all malware now includes at least some sophisticated evasion technologies.
Levels of protection
Having anti-malware tools in place means that a business will be able to stop the vast majority of known threats that represent the bulk of all malware in the wild.
However, when it comes to the unknown and evasive categories, the volume of threats might decrease however the risks associated with them increase. Achieving effective protection against all categories of threats requires a multi-layer approach to security.
The first layer starts with reputation analysis where all incoming traffic is scanned for signatures as well as know malicious URLs, domains and IP addresses. This alone will catch a large volume of known threats.
The next layer is static analysis which involves searching for common malware patterns and elements within suspected malware. Files are scanned to look for these attributes with suspicious code then flagged for closer attention.
A third layer of protection uses dynamic analysis. This involves active monitoring of processes and actions on an endpoint to help identify malware that is already active within the infrastructure.
The fourth layer, called deep analysis, involves techniques such as cloud sandboxes where security staff create a virtual environment in which suspicious code can be run to determine what it is trying to achieve.
Malware, in all its forms, is delivered primarily via a network. One widespread method involves so-called 'drive-by downloads' where a user's browser becomes infected after visiting a compromised website.
Another common approach is phishing or spear phishing where communications are designed to appear as though they have come from a known or trusted source. Recipients are encouraged to click on a link or open an attachment which results in their device becoming infected.
A further approach is the use of malware-as-a-service and exploit kits that have been designed to allow less sophisticated criminals to mount attacks. Some of these have been successfully used to mount large-scale ransomware attacks such as CryptoLocker, CryptoWall and Locky.
While malware uses networks to propagate and infect systems, those networks can also be used to detect its presence. Tools can be deployed that monitor network traffic and identify suspicious activity that could be an indication of infection.
These suspicious activities could include large, unexpected data transfers, long connection times or connections to known hostile IP addresses. Others could be dramatic increases in the volume of traffic being blocked or a sudden increase in new encrypted traffic.
To improve an SMB's ability to detect and respond to malware attacks, what's required is a combination of two techniques: threat correlation and threat scoring.
Threat correlation involves comparing events from multiple sources and then cross referencing this data with the latest threat intelligence available. This requires looking at the network and endpoints in tandem and combining any indicators found into broader incidents. Intelligence gathered in this way is then shared throughout the environment.
Once this has been done, the next step is to apply a threat scoring model which helps the IT team determine which threats are significant, which can be left for later examination, and which can be safely ignored.
By taking this approach - multi-layer protection and the combination of both threat correlation and threat scoring - and an organisation can be confident it has in place robust security measures that will protect against the constantly evolving threat landscape.