Carl Leonard, Principal Security Analyst at Forcepoint UK elaborates on the threat scenario today and what enterprises need to do to make sure their data is safe and secure
Organizational cybersecurity has transformed in leaps and bounds with advancements in cybercriminal activities. With new and every evolving malware, ransomware, Trojan and other attacks, organizations have made security a top level priority. The right approach to protecting data is crucial for businesses to function today. Carl Leonard, Principal Security Analyst at Forcepoint UK elaborates on the threat scenario today and what enterprises need to do to make sure their data is safe and secure.
The Cybersecurity Threat Landscape
The Threat landscape is always evolving. According to Carl, the cybercriminals never rest on their laurels and always evolve and continue to make profits. Carl explains, “That’s what we have seen with the DRIDEX malware. One should remember that DRIDEX is two years old and recently it has become very quiet. The cybercriminals are enhancing their tools. Some reports say that DRIDEX is responsible for over hundred million dollars in losses from the victims, stealing their online banking credentials.” Recently DRIDEX malware has gone quiet and is being superseded by ransomware.
“It is about making sure you can do business in six months’ time by protecting your organization now.”
Carl Leonard
Principal Security Analyst
Forcepoint
Carl continues, “The landscape is continuously changing and even if one piece of malware leaves the radar for a period of time, it might be that the malware authors are just advancing its capabilities.” This hibernation gives authors additional time to focus on adding extra features to the malware.“And with our most recent blog on DRIDEX Malware, we have elaborated on its features. This DRIDEX malware has pretty significant features now. First is, it has started blacklisting machines. The DRIDEX malware has access to a list of machines that it can then decide not to infect. These machines could be of security researchers, they could be sandboxes.”If neither the security researchers nor the sandboxes are able to receive the malware, then analyzing it is impossible. As per Carl, the DRIDEX malware authors have maintained this blacklist and the malwarewill not deliver the malware to certain machines.
Apart from not delivering to specific machines, the updated DRIDEX’ssecond enhancement is that it now extends beyond the typical online banking credentials. How it works? Carl explains, “It injects code into your banking website, into the browser, so then it looks like it is your bank’s website that is asking your username and password. Then once the Malware authors have this database of usernames and passwords, it can then login to your bank account, and transfer money out.” A malware always goes where the money is and Carl observes that Indian banks are becoming increasingly targeted by global cybercriminals.
The third feature of this updated DRIDEX is that it prepares for future attacks. This version is starting to count the number of crypto-currency (eg: Bitcoin) wallets which are stored on the victims machines. “The malware has started building knowledge to attack in the future. The new version has updated itself to look for software in addition to normal banking and is preparing for the future by checking the popularity of crypto-currency wallets,” adds Carl.
Top Targets for Cyberattacks
As per Carl, DRIDEX is primarily focusing on software of financial institutions. Also coupon sites where one pays to redeem coupons with credit cards and bank accounts, DRIDEX is going directly to the source. Carl remarks, “In 2014, we did a study that found out, financial services sector was three times more likely to be targeted. What we know is that the attacks are delivered from all over the world and malware authors target individuals and businesses all over the world.”
Forcepoint has performed two pieces of analysis on a botnet campaign called JAKU. JAKU, Carl explains, was particularly interesting because it captured very personal information of its victims in terms of passport, documents, and specifically targeted a group of individuals with hotlinks to North Korea.He adds, “The victims were hosted primarily in the APAC region. We also have a white paper on JAKU available on our website.”
Carl continues, “We also did another piece of analysis on a targeted attack, an APT called Monsoon in APAC region. Monsoon was possibly being used to steal personal information from government organizations, military, academia and tech companies.All of these attacks do tell us it is all about the importance of the stored data and also the importance of protecting the data from external attackers, and also, from employees. Like, if an employee makes a mistake, and accidentally transfers personal information out to their personal email address, that is not something that the business would like to happen. So it is very important to look at the external attackers as well as insider threat from employees.”
The Attack Lifecycle
Carl says that the lifecycle is fairly common between these attacks. The initial entry point into the organization is often a malicious email and once the end user is socially engineered, he or she is then tricked into opening the attachment or clicking on a website link inside an email. “Malware authors are continually trying newer evasion tactics and ways to disguise the malware from analysis or make it difficult for the end user to notice that they are now infected.” Carl continues, “Our research showsthat sometimes, the point of infection and the duration that the malware author is inside the organization stealing data could actually be 200 days without detection.” Thus, it is important to focus on stopping that lifecycle early on, making sure of good email security solutions in place and encourage employees to not open emails from unrecognized senders. Carl opines, “Earlier an attack is stopped, better it is for an organization.”
Expert Advice to Enterprises
Carl remarks, “We always tell our customers it is very important to understand the behavior of machines and end users inside the organization for understanding what is normal in order to identify unusual happenings better. Focus on the data inside the organization and be prepared for malware author tactics will change. To understand this, organizations need to take help from Security researchers as to understand detection technologies.
The fact is that no vendor can promise 100% detection, so enterprises will no doubt have malware breaching theirorganization’s perimeters. This calls for a proper reporting system. Not every business has the ability to build up a team of security researchers. “On some fronts they have the funds and desire to do that, and we have seen that banks are actually at the forefront of security, as they realize the need to protect money there. But not all businesses have such resources, so in those cases organizations can use security vendors such as us as their extended security operations center.”
Malware is used to penetrate an organization, so as real capabilities of malware evolve, and the delivery mechanisms evolve, the cybercriminals in the online black markets can actually sell malware as a service. The more this happens; anyone who buys such services can become cybercriminals. “That means more incidents of data breaches, and money being stolen from accounts. Thus security vendors are seeing more and more issues as malware are readily available nowadays,” adds Carl.
Spending on Protection
Carl says that there is a typical trend where IT budget put aside for security, is as low as 10% in some cases. However, with the surge in cyber breaches, businesses have stated to realize that security of organization’s data is extremely important. Carl says, “It protects their brand, protects their ability to do business, it protects the reputation of organization and it reduces the likeliness they pay a fine when they are breached. In our recent findings, we observed that the cybersecurity decisions are being held at the board level.So cybersecurity is not just an IT problem and is in focus C-Suite Execs too. It is about making sure you can do business in six months’ time by protecting your organization now.”
This in particular has raised the profile of cybersecurity for businesses with discussions at board level they can invest the right amount of money to mitigate the risk they want to reduce. “So that is what we try to do with the resources with have, with different technologies and processes to allow businesses to remain profitable, to continue in business, and to be able to adapt to new technologies,” concludes Carl.
By: Chitresh Sehgal – csehgal@accentinfomedia.com