- October 13, 2017
- Data Protection
What do you call sophisticated malicious software that has been designed with outstanding evasion and infection capabilities, which avoids being detected – and can remain hidden for extended periods of time as it conducts complex and damaging cyberattacks?
Did you even know that such code existed?
There are criminal organisations that dominate this dark space who are creating the malware tools and malware as-a-service products that the smaller or less sophisticated crime rings use.
They are designed to bypass the traditional signature based detection within network and email gateways and to defeat intrusion protection systems and firewalls.
Using multiple transformation techniques they simply change their signature. In any event, with a million new malicious objects being created every day conventional security controls and organisations simply cannot keep up. And even more cunning, if the criminal limits use of a particular exploit, then it may never be detected by the anti-virus industry.
The so called “sandbox” was designed to catch these. Put the code in a separate “box” and examine it there before you let it in, great idea. Except this code is intelligent, it knows when it is in a sandbox (or in a virtual machine) and so makes itself look harmless.
The ultimate penetration avoids the operating system completely and goes straight for the root, deep in the bowels of the computer where it cannot be found, and yet can emerge and connect back to its control host for further instructions.
This is clearly warfare, so how do you protect yourself if Anti-Virus software and Firewalls are of limited use?
Firstly, do not abandon the traditional protection methods as there are still countless “script kiddies” using methods developed years ago, such as the phishing attack. Start with basic staff training, ensure up to date code, use and log password controlled accesses and ensure your anti-virus protection is up to date.
Secondly, deploy a firewall and use its features, close unwanted ports, quiz the supplier on how best to use its facilities. (There is also a firewall feature in Windows 10 for standalone PC users)
There are two more things that you can do, the first is to deny the hacker any benefit from their attack by making any information they get from you unusable, and thus of no value to them. That is achieved by encrypting your data.
The second is to deploy the traditional intelligence led defence by “knowing your enemy”, that is who they are, where they are, and what they are doing. This is called Threat Intelligence, and denies access before it even gets onto your network from known criminal sources. (Of course they react by constantly disguising themselves, but they have to operate from somewhere and the defence community normally catches up with them within twenty minutes and updates the detection).
The final trick is to stop the infected computer from “calling home”. If it cannot do that, then it cannot get instructions, and also has no channel to exflitrate data. That is easier for specialist threat intelligence operators, because the IP address has to be coded into the penetration software, so there is a very good chance of picking up where they would try to get to, and stop the connection.
Of course it is a constant arms race, you can never relax, but if your data is unencrypted and you have no threat intelligence protecting you, then you are doing the equivalent of fighting laser guided missiles with a blunt spoon.
The DPO Centre can provide you with the advice and guidance you need in order to best protect your data. Please contact us for further information.