Targeted, custom and polymorphic malware is obviously a top concern for security teams. A steady drumbeat of high profile breaches and revelations of highly sophisticated attacks driven by nation-states has burned this risk into the minds of everyone from the wiring closet to the boardroom. This has led many organizations to aggressively pursue new technologies and solutions that can help identify malicious files even in the absence of a known signature. This is great progress, but it has uncovered a challenge that many security practitioners didn’t expect – unknown malware isn’t all that rare.
Even forwarding-leaning organizations that have adopted new technologies to detect unknown malware still rely largely on manual investigation and remediation once the malware is detected. Given the scale at which large malware operations are run, a security team can quickly be consumed responding to wave after wave of malware variants to the point that they miss the truly targeted attack hitting their network. Ultimately, we need to realize that these are different threats that require different process and response. Where possible, we must automate our defenses against automated threats, including those that are unknown, so that our manual response can be focused on the true targeted and highest risk threats.
In the recently announced Modern Malware Review, I had the opportunity to analyze more that 26,000 seemingly unique samples of malware collected in real enterprise networks. All of these samples were tested against multiple antivirus solutions and there was no coverage at the time they were detected. However, on closer inspection, some of these samples were not so unique after all. If we looked beyond the superficial characteristics of file name and hash value, and dug into the payload of the malware itself, we quickly saw that over 40% of these samples were related.
In addition to looking at the payload of malware, we can also see patterns in the behaviors of malware. This was especially apparent when observing malware communication tactics. Malware traffic is typically quite anomalous when compared to regular network traffic. Thirty percent of malware samples were observed to generate custom or otherwise unknown traffic as part of their command-and-control traffic.
These are obviously just starting points, but the concept is certainly one that is extensible, and ultimately necessary in my opinion. Security evasion and customized malware has become mainstream for attackers of all skill levels, and we will always lose if we attempt to fight an automated threat with a manual response.
You can read up more about my thoughts on modern malware in my SecurityWeek Article – "Getting a Handle on the Scale of Modern Malware”. Feel free to connect with me in the comments below.