Cyber attacks are so prolific today that you need every bit of intelligence available to make your security analysts and your security devices more effective. Malcovery Security offers a service that provides details about the top email-borne threats of the day as they are emerging so you can take proactive steps to block them.
Have you seen the pharmaceutical TV commercial where a businessman attending a meeting is handed a note that says “Your heart attack will happen tomorrow”? The idea of being notified in advance of something so terrible is startling. Obviously if this were possible, the man could take preventative action before the real harm could happen.
What if you could get notifications about cyber-threats? You would learn about today’s emerging threats that are beginning to brew on a global scale and do something about them before they hit your network.
For instance, imagine being told to watch for a fake email message that appears to come from LinkedIn and has the subject line “Let’s connect on LinkedIn.” You’re told the message comes from a specific sender IP address and contains a link that, if activated, is going to download the Zeus malware within the end user’s Application Data folder under a specific file name. You get this notification long before any email messages of this nature even hit your mail server so you have time to block or quarantine the messages from the spoofed domain and keep them away from end users who might be tempted to click the link.
In effect, you’ve just prevented the cyber equivalent of the heart attack.
This kind of actionable intelligence is available today in a report from Malcovery Security. The report is called Today’s Top Threats, or “T3” for short, and it provides explicit information about the most serious email-borne threats that can affect your network today.
I mean that quite literally when I say “today.” Malcovery security analysts create a new report every day to detail what they see as the biggest emerging threat of that day. The daily report is delivered via email in PDF format so it can be consumed by InfoSec analysts and managers. Malcovery T3 also includes multiple machine-readable reports per day so you get the precise information you need to be proactive and ready if and when the threat comes your way.
Malcovery’s unique approach enables you to identify malicious links and attachments that often sail right through spam filters and anti-virus and anti-malware engines. Most traditional security vendors focus their attention on analyzing what is being delivered to you; i.e., the link or the attachment. Malcovery takes a fundamentally different approach to understanding attacks that begin through malicious email campaigns: Malcovery looks at who is behind the malicious email campaigns, and what infrastructure they are using to distribute the emails and accept communications from compromised devices.
Malcovery has learned that one attacker may send hundreds of thousands of email messages in a single day. The attacker will vary the sender domains it spoofs so messages look like they are coming from legitimate companies like FedEx, Bank of America, eBay, the IRS, and so on. The subject line will vary according to the spoofed domain name. What the attacker reuses for all his campaigns, however, are things like the sender IP address or group of addresses, or the IP address of a C&C server. Whether your email from “eBay” wants you to “click to see your payment” or your message from “Facebook” is asking you to “click to connect with a friend,” it’s all using the same backend infrastructure that links these malicious campaigns to a particular attacker.
In this way, Malcovery can quickly see the campaigns an attacker is launching on any given day and watch them unfold. The company has a vast network of email addresses that receive the malicious messages, and this gives the analysts the opportunity to study them in detail. Then they put this intelligence into T3 reports to tell you what those top threats are and exactly what you need to do to block them.
The machine-readable version of the T3 report is in XML and STIX format so information can be directly ingested by existing security infrastructure: firewalls, web gateways, IDS/IPS, SIEM, etc. You can block the known threats within hours of their origination, whereas an anti-virus or anti-malware engine may need days or weeks to create a signature to block the same threats. You also can use this information to investigate attacks and identify threats that may already be inside your network. This form of the report is updated multiple times a day as new campaigns are verified, giving you early-warning information on confirmed threats.
The human-readable form of the report is a PDF document that includes information such as:
- The email subject line
- The message content (what an end user would see if he opens the mail)
- The sender domain that has been spoofed for the campaign
- What the malicious link or attachment does
- What IP address and/or URLs are used in the attack
- The indicators of compromise (IoC) in case the malware gets unleashed in your environment
- An expert analysis of the attack methodology
- Other information that is pertinent to the specific attack
Your security analysts can read this information and do all sorts of things to protect your network. For example, since you know what subject line to look for you can add a rule to quarantine all inbound messages with that subject line. You can check to see if those messages already made it into in-boxes and, if so, whether anyone opened them and clicked the link or attachment. If someone took the bait and unleashed the malware, you can look for the IoCs on your network or in your logs. If the T3 report identifies an IP address for a C&C server, you can block all communication with that address.
By taking action on this information today, you get the added bonus of being protected against future attacks that utilize the same attack infrastructure. For example, Malcovery discovered attackers used the same backend infrastructure for months to launch campaigns with the CryptoLocker malware. If you blocked the campaign based on information from T3, you would have extended protection over the life of the malicious campaigns.
Malcovery Security’s Today’s Top Threat report is designed to give your security analysts and security devices more actionable intelligence to work with every day.
Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.