Five Principles to Modern Malware Protection

Posted on : 02-04-2011 | By : jo.rose | In : Cyber Security

Tags: , , , , ,

1

Modern Malware Defined
The modernization of malware has been characterized by attackers’ quests to gain increasing control of compromised computer systems and the networks in which they reside. Whether attackers use viruses, Trojans, bots, or rootkits, Modern Malware is designed for the long-term control of compromised machines. So, Modern Malware often features offensive tactics to disrupt client-based security, like re-writing the Windows HOSTS file to disrupt antivirus signature and patch updates, or by resetting Microsoft security updates to manual. Modern Malware also establishes outbound communications across several different protocols to upload stolen data and to download instructions and further malware payloads for other reconnaissance and malicious purposes.

The modernization of malware has been characterized by attackers’ quests to gain increasing control of compromised computer systems and the networks in which they reside.

As criminals became aware of the value of information being placed online, they quickly got involved in developing Modern Malware for profit. It should be no surprise that the rise in cyber crime has coincided with the increased use of the Internet and especially “Web 2.0” technologies. Law enforcement, computer crime experts, and the military are now playing catch up to the threat posed to consumers, businesses, and national security as cyber criminals cash in on stolen identity data, fraudulent online transactions, and cyber espionage. It is clear that criminals with profit motives or political agendas are the main cause for the explosion of Modern Malware as we know it.

Cyber criminals have developed Modern Malware to bypass outdated security techniques, such as signatures, leaving businesses and consumers vulnerable to attack. Signature-based technologies like IPS and antivirus software, both within perimeter and endpoint solutions, are increasingly ineffective against the rapidly evolving, blended threat of Modern Malware as is evidenced by the continued and successful intrusions into commercial, federal, and educational networks. At the same time, more and more businesses and consumers are storing data on the network, or “in the cloud,” and conducting transactions through the Internet making cyber crime more attractive than.

Understanding the Modern Malware Infection Lifecycle
Modern Malware attacks can no longer be seen as a single incident consisting of exploit, infection, and remediation stages. Today’s attacks are coordinated efforts to penetrate an organization’s defenses and establish a foothold for the purposes of reconnaissance, network asset exploitation, data exfiltration, data alteration, data destruction, and/or establishing ongoing surveillance.

Modern Malware infection lifecycle is the use of advanced, persistent cyber threats in a coordinated fashion to penetrate an organization’s defenses and establish a long-term foothold in the network.

A new approach to understanding Modern Malware attacks is to see it as an infection lifecycle in which the initial exploit or social engineering attack leads directly to a series of follow-on malware infections that persist despite repeated attempts to scan and disable the attack. As Modern Malware has become more sophisticated, conventional client-based antivirus scans and network-based intrusion scans no longer are able to disrupt and stop these coordinated sets of infections and attacks. While some infections are detected and removed by scans, the criminal maintains control over the system using the other, often zero-day, malware components that were not removed to re-install removed malware and disrupt endpoint security to prevent future removal.

Breaking the Modern Malware Infection Lifecycle
Given the serious consequences and ineffectiveness of current solutions, FireEye is publishing and sharing its five key design principles to designing an effective network-based defense to break the Modern Malware infection lifecycle. Solutions should be held up to these criteria as part of any investment decision involving Modern Malware defenses. The 5 key principles are:

  1. Dynamic defenses to stop targeted, zero-hour attacks
  2. Real-time protection to block data exfiltration attempts
  3. Integrated inbound and outbound filtering across protocols
  4. Accurate, low false positive rates
  5. Global intelligence on advanced threats to protect the local network

Dynamic defenses to stop targeted, zero-hour attacks
To be effective, anti-malware solutions need to be intelligent enough to analyze network traffic and processes, rather than just comparing bits of code to signatures. Modern Malware has been developed with conventional defenses in mind to maximize its chances to successfully exploit an end-user system.

A dynamic analysis capability, as opposed to static signature-based comparisons, are critical to enable a product to detect and stop polymorphic malware on the wire as well as malware hosted on dynamic, fast-changing domains.

In order to address these modern threats, a real-time, dynamic, and accurate analysis capability is critical. Rather than relying on signatures and lists, we must be able to dynamically recognize new attacks in real time, without requiring a priori knowledge of vulnerability, exploit or variant, and then prevent system compromise and data theft.

Real-time protection to stop data exfiltration attempts
To protect the network, real-time analysis and blocking are essential to stopping data exfiltration that can take place within minutes, if not seconds, of the zero-hour infection. It is important to be able to dynamically analyze network traffic to capture and detect zero-hour malware, but equally important to provide real-time capabilities to stop the outbound callback communications to disrupt the malware infection lifecycle.

Integrated inbound and outbound filtering across multiple protocols
Modern threats are comprised of attacks on multiple fronts, exploiting the inability of conventional network protection mechanisms to provide a unified defense; as soon as one vulnerability is defended, network attacks quickly shift to another.

It is now possible to have both inbound attack detection and outbound malware transmission filtering all in an appliance form factor providing administrators with a clientless solution that is easy to deploy and maintain. So, it is critical to provide thorough coverage across the many vectors that are used in attacks and that can keep pace with the dynamic nature of modern attacks. Defending corporate networks from modern malware threats requires new protections that function across many protocols and throughout the protocol stack, including the network layer, operating systems, and applications.

Accurate, low false positive rates
Other technologies whether heuristic or behavioral, analyses are touted as an encouraging development, but in practice they are too inaccurate or compute intensive to function as standalone, real-time security mechanisms. This methodology often augments an anti-malware solution’s signature protections, but at the same time increases the likelihood of false positive alerts. The sheer volume and escalating danger of modern attacks are overwhelming limited IT resources and outmaneuvering conventional defenses.

Global intelligence on advanced threats to protect the local network
To maximize preemptive protection against a dynamic cyber threat, it is important to have a global network to provide the latest intelligence on malware threats and zero-hour attacks. Real-time malware intelligence to protect the local network against zero-day malware and advanced persistent threats can stop outbound callbacks that threaten to exfiltrate sensitive data. By building an intelligence sharing network with customers, technology partner networks, and service providers around the world it would be possible to share and efficiently distribute the malware security intelligence to essentially serve as an Internet cyber crime watch system and stop both inbound attacks and unauthorized outbound callbacks to prevent data exfiltration, alteration, and destruction.

Contributer: Paul Davis – Director of Operations Europe – FireEye ( www.fireeye.com )

No time for being Anti Social

Posted on : 02-04-2011 | By : jo.rose | In : General News

Tags: , , , ,

0

In everyday life, admitting to being anti social can be a wonderful thing. It means you are never expected to take part in a charity fun run, it can excuse you from the post work pub quiz every Tuesday and can even get you out of the odd Christmas outing. At worst you will be labelled a miserable bore but of course you can live with that if it guarantees a night in with a box set and blissful solitude. In business however, being anti social has much greater consequences.

You will have spotted that the behaviour of companies is under the spotlight like never before. Transparency and authenticity are the buzz words of 2011 and despite feeling that social media does not fit the ‘personality’ of your company, I’m afraid that you are still expected to get involved and open up. This can be a tricky transition for any company, but is especially uncomfortable for those who are steeped in the traditions of the City. There is a reason that you have chosen an office on Bishopsgate as opposed to Soho, and why your receptionist greets visitors with integrity and professionalism as opposed to an overly familiar high five. You have never considered putting a pool table in the canteen or hosting online poker tournaments with your clients because you are not a marketing agency or a cheeky young tech start up.  Finance is a serious business and the idea of using social networks to communicate your wisdom and achievements seems, at best, inappropriate and at worst a waste of valuable time.

But companies are increasingly judged on their ability to embrace and respond to comment and criticism and it is hard to control public and shareholder perception from behind an oak paneled door. A carefully worded press release and glossy annual report are no longer sufficient to communicate your corporate message and although you might find the idea of social media a little vulgar, you may be surprised at its potential, and what a serious business it can be.

Imagine some crazed, embittered employee bursting in on a crucial meeting with potential investors and ranting on about conspiracy theories. You could control that scenario because you would be there, explaining away the employee’s behaviour with claims of insanity and alcohol abuse. But if that employee took to Twitter to share his opinions, who would be there to act in your defence and escort him quietly away? And don’t be comforted in the knowledge that your investors are not the type to spend hours online, because even more terrifying is that journalists are. If you have been blissfully ignoring a conversation taking place under your Twitter nose then you’ll soon spot it when it appears in the business headlines.

A brilliant example of this happened as far back as 2004 when an enthusiastic blogger reported how he had managed to pick a ‘Kryptonite’ bicycle lock with a Bic pen. This was ignored by Kryptonite but picked up by the New York Times, resulting in $15m worth of product recalls and immeasurable damage to reputation.

More recently of course we must not forget BP who spent a reported £93m on advertising to counteract the colossal impact of the Mexican oil spill whilst a fake Twitter account pretending to represent the company was quietly amassing followers and no less than 350 Facebook groups sprung up to boycott the brand, turning their online PR into a laughing stock.

These examples of social media ‘fails’ are all over the internet and companies are finally wising up to the relevance of joining online communities but many are still dipping their toe in and hoping that to be seen to be making an effort is enough (a bit like attending a networking event and slinking off after the first glass of champagne).

Information is knowledge and our unprecedented access to information presents as many opportunities for business as it does threats. For example, market research must no longer be a lengthy and expensive undertaking as you can now get a snapshot of opinion in seconds using online networks and it is how you respond to that intelligence that will define you as successfully social.  

In 2011 the fundamental shift in how we communicate is well underway and thankfully the tools for business to not only keep up but also lead this social revolution are readily available. If you normally host a drinks reception for your most treasured shareholders, carefully compiling a guest list to ensure no troublemakers are invited, you must now accept that you do not control who attends your metaphorical online soiree and even the most nuisance blogger can gatecrash and be seated in between your well behaved guests. Or worse, the nuisance blogger can throw the party and not invite you. It is time to stop being anti social. Make sure you host the party and control the conversation about your business. Become a veritable party animal and represent yourself at every social gathering thrown by your industry on the web because this is where the people with the most influence over your business could be spending time and is the only place you can avoid a social faux pas and becoming yet another ‘fail’ statistic.

Oh, and don’t forget you can attend these metaphorical parties from the comfort of your desk or even better your own home, where you choose the wine and there is no chance of missing the last train. It is social for even the most anti social. Perfect.

Contributer: Paul Newman – Director – Ultraknowledge ( www.ultraknowledge.com ). 

For a demo of our content web technology contact paul@ultraknowledge.com  or for social strategy and training contact Jenni@ultrasocial.co.uk.

The ultimate way to move beyond trading latency?

Posted on : 01-04-2011 | By : richard.gale | In : General News

Tags: , , ,

3

A number of power surges and outages have been experienced in the East Grinstead area of the UK in recent months. Utility companies involved have traced the cause to one of three  high capacity feeds to a Global Investment bank’s data centre facility.

The profits created by the same bank’s London based Propriety Trading group has increased tenfold in the same time.

This bank employs 1% of the world’s best post-doctoral theoretical Physics graduates  to help build its black box trading systems

Could there be a connection? Wild & unconfirmed rumours have been circulating within  the firm that a major breakthrough in removing the problem of latency – the physical limitation the time it takes a signal to transfer down a wire – ultimately governed by of the speed of light.

For years traders have been trying to reduce execution latency to provide competitive advantage in a highly competitive fast moving environment. The focus has moved from seconds to milli and now microsecond savings.

Many Financial Services & technology organisations have attempted to solve this problem through reducing  data hopping, routing, and going as far as placing their hardware physically close to the source of data (such as in an Exchange’s data centre) to minimise latency but no one has solved the issue – yet.

It sounds like this bank may have gone one step further. It is known that at the boundary of the speed of light – physics as we know it -changes (Quantum mechanics is an example where the time/space continuum becomes ‘fuzzy’). Conventional physics states that travelling faster than the speed of light and see into the future would require infinite energy and so is not possible.

Investigation with a number of insiders at the firm has resulted in an amazing and almost unbelievable insight. They have managed to build a device which ‘hovers’ over the present and immediate future – little detail is known about it but it is understood to be based on the previously unproven ‘Alcubierre drive’ principle. This allows the trading system to predict (in reality observe) the next direction in the market providing invaluable trading advantage.

The product is still in test mode as the effects of trading ahead of the data they have already traded against is producing outages in the system as it then tries to correct the error in the future data which again changes the data ad finitum… The prediction model only allows a small glimpse into the immediate future which also limits the window of opportunity for trading.

The power requirements for the equipment are so large that they have had to been moved to the data centre environment where consumption can be more easily hidden (or not as the power outages showed).

If the bank does really crack this problem then they will have the ultimate trading advantage – the ability to see into the future and trade with ‘inside’ knowledge legally. Unless another bank is doing similar in the ‘trading arms race’ then the bank will quickly become dominant and the other banks may go out of business.

The US Congress have apparently discovered some details of this mechanism and are requesting the bank to disclose details of the project. The bank is understandably reluctant to do this as it has spent over $80m developing this and wants to make some return on its investment.

If this system goes into true production mode surely it cannot be long before Financial Regulators outlaw the tool as it will both distort and ultimately destroy the markets.

Ironically the project has a codename…. Project Manhattan

No one from the company was available to comment on the accuracy of the claims.