Understanding Destructive Objects
By Tyson Whitten, Vice President of Global Marketing, ReversingLabs
Are you confident in what you saw today?
It’s a simple, yet important question that nobody in security can seem to answer. Automation was supposed to make life easier for the overworked security analyst but has become a complex and noisy grind, given the deployment growth of an endless array of network, endpoint and application security solutions. Plus, these solutions have been limited in effectiveness, with threats continuing to get through while remaining undetected, lurking within.
The reason? From our research, we have found that objects are becoming more and more complex. The size, breadth of formats, trusted third party and open-source risks, and misused certificates have made it nearly impossible to stop malware infected files with today’s traditional security solutions. This has resulted in more entry points for advanced threats to the corporate infrastructure, whether it be from web, mobile, IoT or API connectivity vectors, with more places across the enterprise that are impacted … moving past the security operations command (SOC) to IT and DevOps.
Security teams need a more effective and comprehensive solution to the problem of undetected malware. But which technologies are best for countering this ever-changing threat, which existing security investments can be optimized, and how can they be applied across the enterprise to drive the right business outcomes?
The Malware Situation Today
Many studies and market research reports show that cyberattacks continue to grow in numbers and complexity, and that certain types are hacker favorites. While malware tops the list, phishing and email attacks are not far behind, with ransomware, file related attacks and stolen credentials on the rise.
As the following table from Cisco’s 2019 CISO Benchmark Report shows, malware tops the list. It is the source of very nearly half of all attacks.
Improper File Sharing
The Growing Deluge of Malicious Files
A recent study by the market research firm Radicati Group estimated the number of emails (consumer and business) sent per day during 2018 was 281 billion. The report predicts that the number of emails sent every day will grow to 333 billion by 2022. The report also states that 2.3 percent of all emails have malicious files attached. That means roughly 6.4 billion malicious files are being sent every day and the number is growing.
Supply chain attacks have also taken center stage as a new but major threat. As more companies invest in digital initiatives and expand their IT infrastructure and business processes, they also add software development and DevOps staff. And with the addition of software development life cycle (SDLC) practices to build and deploy applications, we’ve seen the increasing use of open-source software and dependencies on public packages to accelerate schedules. Of course, stringent security measures should be in place to prevent poor selection of that code, but ultimately, open-source options abound, and engineers will use those options to create the applications required. Hence, the emergence of the software supply chain attack: any attack that infiltrates your software life cycle.
One such real-world example includes the Asus attack. In early-2019, hackers went after this device manufacturer’s supply chain, compromising its Live Update server. Thousands of Asus laptop owners downloaded what looked like a routine software update, but instead, they got a file that created backdoor access to their computers. Let us also recall NotPetya, another example of a supply chain attack. This 2017 episode, which WIRED Magazine called “the most devastating cyberattack in history,” was launched as a supply chain attack. A backdoor planted in a popular Ukrainian accounting software package infected many computers in that country and quickly spread worldwide.
Consider the following statistics:
According to a 2019 Carbon Black report 50 percent of all attacks studied were supply chain attacks.
According to a survey conducted in the fall of 2018 by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors.
It’s crucial for security teams to quickly find and neutralize any malware-infected files or objects that have gotten past defenses and are inside their environments. The problem is that too much malware is making it through. Why? Because:
Network-based defenses look at flow data, not at specific files or objects.
A/V systems use signatures of known – not unknown – attacks, so they are always outdated. And most can’t handle large files.
EDR systems look at IOCs using AI to determine if they follow attacks. But they don’t look at files.
Sandboxes have processing constraints that limit their effectiveness and leave them susceptible to evasion techniques.
Source code analysis tools look for vulnerabilities but not for the actual malware hidden within binaries.
The key take-away is that existing security solutions have a difficult time examining files and objects at scale, and determining the true threat picture across the enterprise. As a result, most enterprises lack the ability to look at all the files and objects coming into their environments to assess their ‘DNA’.
Put it another way, virtually every enterprise now has high-risk executable code in the form of files and objects already in their networks, and more are coming in every day. The reason ― files and objects are becoming more complex
The New Object Complexity and the Anatomy of Destructive Files and Objects
Attackers are clever, thorough and patient. They have broadened their method of attack through new file and object vulnerabilities. In particular, four main security challenges have emerged relating to files and objects. The vulnerabilities are as follows:
Size: The size and complexity of large files create opportunities to circumvent existing controls, including sandboxes.
Formats: Old formats change and new ones accompany advances in software, hardware, operating systems and network architectures – and all provide new vectors for attacks.
Trusted Third Party and Open Source Code: Malicious code can make its way into software under development as infected elements from third party code or open source material.
Certificates: Cryptographic or ‘crypto’ certificates can be misused to launch or facilitate attacks, as can undisciplined use of private keys.
More Channels of Entry Means more Department Exposure
The complexity of objects have broadened the channels attackers use to gain entry. This means stopping threats is now a companywide problem from the SOC to IT to DevOps. They hide malicious files and objects in the billions of web, mobile, cloud, and IoT communications that traverse the enterprise. They also insert them in native apps, commercial apps, and third-party or open source code. The bottom line is that malware infected files and objects are coming at organizations from all angles and in increasing numbers. This situation presents risks and challenges not only for the SOC, but also for IT and DevOps teams, and by extension, entire organizations. Destructive file and object risk via more channels and business functions means security needs to be everywhere in an enterprise and active at all times.
With an understanding of destructive objects, the challenge becomes how the SOC, IT and DevOps teams divide and conquer their efforts to tackle them and to more quickly find and neutralize previously undetected malware to eliminate or greatly reduce the damage they cause. For more insight on understanding and addressing destructive objects, feel free to access our perspective where we explore the topic in greater depth.
About the Author
Tyson Whitten is a seasoned marketing executive with over 20 years of security experience at high-growth companies. Tyson serves as the Vice President of Global Marketing for ReversingLabs where he leads all aspects of marketing including go-to-market, awareness, demand generation, field marketing, product marketing, partner marketing, and content marketing. Tyson has held senior leadership positions at CA Technologies (Acquired by Broadcom), SecureWorks, and Guardent (Acquired by VeriSign). Tyson holds a B.S. in Finance and MIS from Boston College and an MBA from Boston College’s Carroll School of Management.
Tyson Whitten can be reached online at https://www.linkedin.com/in/tysonwhitten/ and via the ReversingLabs company website at https://www.reversinglabs.com/company/leadership.