Security Tools Archives • PC PORTAL

It’s unlikely we’ll ever look back fondly to a time when ransomware would announce itself noisily. But at least victims knew they were under attack. Now, the signs are that malware’s adopting sneaky tactics to avoid detection.

Fileless malware looks set to be a significant security threat in 2019, and that could be bad news for anyone using traditional antivirus tools. In the past, most infections involved installing malicious software on a target’s hard disk. But in doing so, it left a signature that alerted security software to its presence. Fileless malware, on the other hand, exists only in memory. It leaves none of the traces that traditional infections do, making it much harder to identify, stop, and remove.

That’s leading to a potential gap in security defences that attackers seem to be exploiting in growing numbers. SentinelOne tracked a 94 per cent rise in fileless attacks during the first half of last year. Research from the Ponemon Institute and Barkly found fileless attacks accounted for 35 per cent of all attacks during 2018.

Under the radar

Now, most leading security software companies like Symantec, Trend Micro and McAfee Labs recognise this type of undetected malware. It was also the subject of a recent webinar by Malwarebytes. Its senior product marketing manager Helge Husemann namechecked SamSam, Sorebrect, Emotet and TrickBot as some of the biggest fileless malware types from 2018.

Emotet is the biggest example of this type of “under the radar” malware. It’s been around since 2014 and it acts as a downloader for other malware. It uses leaked NSA exploits and it comes with a built-in spam module that allows it to spread to other systems. The attack often starts as an email that pretends to come from a government service, like the tax office.

Husemann said Emotet’s primary focus has been English-speaking, Western countries. Many of its targets were in the US, while the UK had more Emotet infections than any other European country in 2018. Last October, Emotet was used to spread ransomware to the North Carolina Water Authority.

Malwarebytes categorises the SamSam ransomware as semi-fileless. Husemann said attackers usually install it manually through patch scripts once they have already broken into a victim’s network. The city of Atlanta, which suffered a major outbreak of SamSam in March 2018, has spent around $2.6 million on recovery.

A common attack vector for fileless malware is via PowerShell, which is a legitimate Windows scripting tool but is also popular with cybercriminals. “It provides an opportunity for the attacker to hide the malware and make system modifications if they need to. We will definitely see the usage of PowerShell happening much more,” Husemann said.

Watching for weak points

Another way to get an infection is by visiting a compromised website. The site’s code then exploits a vulnerability like an unpatched browser or an unsecured Flash plugin on the user’s computer.

Rebooting a system will usually get rid of a fileless infection – but you would need to know you’re infected in the first place. What’s more, rebooting creates challenges for digital forensics investigations because of how fileless malware operates in-memory. Once the infected system is turned off, it leaves no evidence behind.

With thousands of new malware variants coming out every day, it won’t be enough to rely only on signature-based security tools to spot threats. “Malware may be hiding in the one place you’re not checking, which is process memory. After years of loud and obvious ransomware we are entering the stage of quiet information stealers,” Husemann said.

An effective endpoint solution should consist of three components, Husemann said. First is the ability to prevent a cyberattack through multiple protection layers including web protection, application hardening and behaviour, exploit mitigation, and payload analysis. The second component is the ability to detect threats, using advanced techniques. The third element concerns response: being able to remediate an incident in the fastest possible time, to minimise disruption to business and reduce the impact on end users.

BH Consulting is independent so we don’t have ties to any one product vendor. No matter which security tool you use, it’s clear that the software we used to call “antivirus” still has an important role in protecting organisations’ valuable data.

The post It’s oh so quiet: get ready for stealthy malware in 2019 appeared first on BH Consulting.

Vulnerability assessments usually involve using automated tools such as Nessus or Qualys to carry out a passive scan of an organisation’s systems. The process produces a list of security gaps and ranks them in order of risk. It gives an organisation clear data to guide the process of deciding which issues to prioritise first based on budget, available resources, or likelihood of the threat.

If forewarned is forearmed, then the value of a vulnerability assessment is that it identifies weaknesses in your systems proactively. It’s different to a penetration test which not only finds security gaps but actively exploits them to replicate the damage a malicious attacker could do without the repercussions.

Why check for vulnerabilities?

Lately, we’re seeing organisations carry out vulnerability assessments, or get an independent provider to do it for them, much more frequently. I think there are two reasons for this. One is the increasing adoption of the ISO 27001 information security standard. We advise organisations that want to get certified or stay compliant to check for vulnerabilities at least twice a year and perform a penetration test at least once a year.

The second driver is – surprise, surprise – GDPR. Growing numbers of businesses and public sector agencies are now aware that they need to protect data. Checking for weak points can help them put safeguards in place to avoid breaches. In the event of a breach, an organisation may avoid heavier penalties if it can prove to the regulator that it has been carrying out vulnerability assessments and doing their due diligence. On the other hand, the authorities won’t look too kindly on breach victims that were running old operating systems with no security controls or patching mechanisms in place.

What to fix

I carry out vulnerability assessments every week, and many of the risks I find are very common. Many of them fall into the categories of medium or high risk. For example, many websites still use old versions of SSL or TLS for encrypting data transfers. Some people might assume that a brochure website doesn’t need this level of protection, but I think that’s a mistake. Even a static page may have a function that calls another function that talks to the database or another application. This is a relatively easy issue to fix, and it addresses a potentially large security hole.

Even for a brochure website, it’s worth doing this upgrade since it’s a big gain for relatively little effort. Implementing TLS carries little cost and eliminates a lot of potential weaknesses. Since SSL was deprecated, it’s a matter of changing to TLS 1.1 or 1.2 which in some cases is as simple as checking a box.

To upgrade or not to upgrade

Another common issue that vulnerability assessments will uncover is out of date software like Apache or OpenSSH. (I recently found one site using a five-year-old version of OpenSSH!) As with the risks I referred to above, fixing them is often a matter of clicking the ‘update’ button in the application.

Whether an organisation updates or not will depend on its attitude to risk. Some choose not to do so because they are concerned about affecting their production environment. Or, they might not have time and resources to test the stability of an application on the new version. I would always argue in favour of acting, but at the very least, a vulnerability assessment will highlight areas that you can rank in order of priority.

The length of time it takes to conduct the assessment will vary. It’s not necessarily as simple a calculation as adding up the number of IP addresses to check. I’ve seen three IP addresses take four hours to scan. It also depends what software the organisation uses, and whether it’s patched or unpatched.

Taking action afterwards

Let’s say the testing lasts a day. Writing the report then involves taking the findings from the automated scanning tool and translating that into language that will allow a client to weigh up its business risk. Some companies take the report and fix the issues that it covers. Some use it as a talking point with their software development teams, to make them aware of certain vulnerabilities. Best practice advises that those organisations run an assessment a few months later to check that any fixes they implemented were successful.

However, I’ve also seen the opposite, where I have carried out monthly vulnerability checks and the client chooses not to fix the issues that the report raises. That goes to the heart of security: making decisions based on the level of risk you’re prepared to bear. Good security practice suggests looking for weak points in your security before someone with malicious intentions does it for you.

The post The value in vulnerability assessments: closing gaps to improve security appeared first on BH Consulting.