Targets unprepared as malware-tools competition continues driving attack surge
- 10 April, 2015 09:05
Increasing competition between producers of Web exploit kits is keeping prices for malware-as-a-service (MaaS) offerings low – thereby guaranteeing that an ongoing flood of new malware will continue to torment largely unprepared targets, new analyses have found.
Market prices for MaaS offerings averaged around $US800 to $US1500 ($A1040 to $A1950) per month during 2014, allowing even novice malware authors to easily access specialised tools for launching “complex and highly evasive multi-stage attack”, Websense's 2015 Threat Report has warned.
These tools are providing capabilities including rapid addition of new zero-day payloads, new techniques for sandbox evasion, multi-layer obfuscation technologies, injection of malicious payloads into legitimate traffic streams, and more.
There were so many new threats online that Websense Security Labs had to upgrade its security detection capabilities in 2014, increasing its security update rate by 11.5 percent – to an average of 3.2 updates per second – to keep up with the flood of traffic.
Despite the onslaught of malware attacks, successful compromises were often detected long after the fact – something Websense attributes to a chronic lack of skilled security staff. This gap was only expected to increase as continuation of the growth in attacks compounded problems for malware targets.
To make matters worse, many of those targets are wholly unprepared to deal with even a moderate attack: new global research from security firm RSA found that 30 percent of the 170 surveyed respondents have no formal incident response plan in place – and of those who do, fully 57 percent never update or review those plans.
Over half of respondents to the company's Breach Readiness Survey had no ability to gather data about attacks and provide centralised alerting, while only half had a formal plan for identifying false positives.
More worrying still was the small number of organisations that were actively addressing vulnerabilities: just 40 percent of respondents had an active vulnerability management in place – “making it more challenging,” RSA warned, “to keep their security programs ahead of attackers”.
“People and process are more critical than the technology as it pertains to incident response,” warned Ben Doyle, Chief Information Security Officer, Thales Australia and New Zealand in a statement.
“A security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organisations improve response procedures over time.”
Despite growing success amongst security vendors that are increasingly working together to collect and disseminate what Websense calls 'Indicators of Compromise (IOC)', “the weaponization of malicious tools continues,” the company warns.
“We expect the level of sophistication that we observe in the threat landscape to continue to rise.”
To better cope with this threat, organisations should focus on threat prevention and remediation rather than trying to task IT security staff with analysing and tracking down the source of security attacks, the report advises: “truly successful cybercriminal identification often requires expertise outside of the IT skill set.”
The threat profile in 2014 included a “surprising” shift in which attack activity moved from geopolitical cyber-attacks to attacks on commercial targets that “appear to be nation-state related to disrupt economies, upset consumer confidence, or otherwise drive political agendas.”
Confounding attempts to better deal with such attacks, a bevy of techniques for evading detection were giving malicious actors “untraceable attribution”. These included the use of TOR to ensure anonymity; use of compromised Web sites owned by third parties; use of complex and one-off redirect chains; and more.
The report draws on analysis of data gathered through the company's ThreatSeeker Intelligence Cloud, which handles some 5 billion data points globally every day. Among other points, that analysis found that some 99.3 percent of all command-and-control URLs are reused between different malware samples – suggesting a high degree of commonality in their design.
This article is brought to you by Enex TestLab, content directors for CSO Australia.