How to be the cat - not the mouse - in the fight against zero-day malware
Zero-day malware mutations can spell disaster for networks, as they can often get in completely undetected by traditional security protection. According to security company Ixia, combatting zero-day attacks involves a continous monitoring solution that tracks originating and target IP addresses for all network traffic.
The consequences of not doing so can turn into the next case of the Locky malware threat. The threat turned into a zero-day mutation that was detected by only 10% of all antivirus programs, which Ixia says a demonstration of new attacks and the need for new defences.
“As hackers develop new attack techniques, security professionals work to strengthen defences. This game of cat and mouse creates a cycle of adaptation and change, resulting in malware capable of changing itself to avoid detection by traditional antivirus systems," comments Scott Register, vice president, product management, Ixia.
“Zero-day mutations have different characteristics to existing malware. Antivirus systems can only protect against malware they can identify, which is why new strains, or zero-day mutations, can pass undetected and infect the network," he says.
The Locky ransomware conducts what Ixia calls a multi-stage attack. It starts as a phishing email. If opened, document macros connect to an attacker's remote server to download ransomware. The encryption process begins, and the ransomware demands are made.
“These multi-stage attacks are especially dangerous, as they can bypass detection by virtualised sandboxes. Most sandboxes do not flag macros as malicious. Furthermore, they only inspect email-based traffic. Once a macro has been activated on the user’s PC, the malicious payload is delivered by a different route, avoiding the sandbox entirely, Register explains.
The Locky ransomware is an example of mutated malware, which the company says can be 'near impossible' to remove from IT systems. Therefore, it's imperative that security vendors catch it before it does major damage.
Register believes that organisations need to focus on the origin of malware, not only what its type is and how it's delivered. He says that 'bad' IP addresses can be easily identified.
“Rarely will a ‘bad’ IP address become trustworthy. Cyber-criminals’ potential IP addresses are scarce. Hackers must either find and compromise an individual server, or hijack a range of IP addresses via Internet routing manipulation. This is neither simple nor easy and, as a result, IP addresses are continually reused for criminal purposes. Even brand-new malware variants are invariably connected to a relatively small number of known compromised IP addresses, which comprise tens of millions out of 4.3 billion IPv4 addresses," he says.
Once those IP addresses are identified, they can be completely blocked using a threat intelligence gateway that offers continuous monitoring and intelligence about known bad addresses.
“Even if a user falls victim to a phishing email and opens a document with macro ransomware inside, the threat intelligence gateway will stop the macro from communicating to the IP address. This nullifies the danger to the user and the wider enterprise network," Register says.
Ixia recommends organisations use three detection layers, as well as malware identification, delivery and origin for protection against new malware or zero-day malware mutations.