How malware defeats strong security controls

It's widely acknowledged that the computer networks of organizations large and small are under sustained attack. As networks become more heavily and broadly used, the potential impact will continue to grow.

The 2012 Verizon Data Breach Investigations Report shows that organizations often don't know for weeks, months, or sometimes years that they've been breached. The report indicates that 92% of organizations with a significant incident learned of the breach through notification from an external party, while only 6% of breaches were uncovered through internal monitoring, such as reading security logs.

Decrypting the 2012 Verizon Data Breach Report

"Unfortunately, as our research has shown for the last several years, third parties discover data breaches much more frequently than do the victim organizations themselves," Verizon says.

If you keep current with cyber security news you know Verizon has it right. Moreover, it's not a secret that attackers craft custom malware to slink past enterprise defenses, and that on any given day any organization can be compromised. That's the unfortunate reality of where information security stands today.

Malicious activity by such as malware and Advanced Persistent Threats (APT) are being used by well resourced, highly motivated, stealthy and patient actors who are adept at disguising their presence and their activities. For the most part, such attacks are carefully planned and crafted, and depend on knowledge of specific targets.

According to Verizon, "the most common malware infection vector continues to be installation or injection by a remote attacker. This covers scenarios in which an attacker breaches a system via remote access and then deploys malware or injects code via web application vulnerabilities. Its popularity as an infection vector likely stems both from the attacker's desire to remain in control after gaining access to a system, and its use in high-volume automated attacks against remote access services. This is most evident in the broader financially-motivated crimes (such as payment card breaches) where malware is not typically the initial vector of intrusion, but rather is installed by the attacker after gaining access. This is not always true for other genres of attacks. With IP theft scenarios, malware often provides the entry point after a successful social attack such as a phishing email."

Taking this meme one step further is Trusteer with its white paper No Silver Bullet: 8 Ways Malware Defeats Strong Security Controls. The paper provides an overview of how cybercriminals are successfully using advanced measures to circumvent security methods using a combination of technology and social engineering.

Specifically the report details the different techniques used by cybercriminals to defeat security controls and commit fraud that have been mapped into different stages in a banking and financial transaction's life cycle, as follows:

o Pre-login, before the user initiates a transaction. Attack methodology: Exploiting browser vulnerabilities and code obfuscation

o Login, while the user is logging into the web application. Attack methodologies: Bypassing virtual keyboards and real-time theft of two-factor authentication credentials

o Post-login, immediately after authenticating to an online banking site. Attack methodologies: Fake information capture web forms and redirecting SMSs to fraudsters' phones

o Transaction, while the user is conducting a sensitive business transaction. Attack methodologies: Malware adopting human-like behaviors and social engineering overcoming transaction signing protection

o Post-transaction, after the transaction has been approved. Attack methodology: Hiding post authorization validation emails

The findings outlined in this report, though focused on the financial services market that Trusteer serves, validate the perception shared by most organizations across all industry verticals: that security controls are being outwitted by malware and a different security approach needs to be applied.

Trusteer's conclusion: "Cybercrime will eventually prevail if malware is allowed to infect machines and remain undetected and uninterrupted - 'over time cybercrime prevention can simply not coexist with malware infected machines'. Consequently, effective sustainable security requires cybercrime intelligence that identifies new malware attack and infection behaviors, complemented by the ability of the security control (technology and process) to quickly adapt to new threats."

Trusteer believes that searching for security solutions that can turn the table on cybercriminals and maintain the upper hand requires a closer look at the shared attack vectors of successful cybercrime schemes. And more importantly, sustainable security requires intelligence that identifies new malware attacks and infection behaviors, as well as an ability to quickly adapt to new threats.

Increase your awareness on how malware skirts today's security controls. Download the Trusteer white paper here.

Brian Musthaler is a Principal Consultant with Essential Solutions Corporation. You can write to him at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT