Watch the 9-minute video above or on YouTube, or read the transcript below:
dotmagazine: When it comes to malware, you take the position that “prevention is no longer enough”. Could you explain what you mean by that?
Nikolei Steinhage: The times when prevention was enough have long passed by. You need to imagine that an attacker has as many attempts as he likes and he does not need really a lot resources to attack you. And you need to defend against him all the time. You can easily see you cannot win this game. So, if you are a company where IT is relevant for your business, then this means that any incident will affect your business and thus your revenue – and so, you cannot totally rely on prevention; you have to do the next step to really protect your business.
I always tell the customer, you need a strategy, a so-called cyber mitigation strategy, and it can be really simple. For example, my advice is:
- First, of course, do prevention. And the companies are already doing that and they are doing a good job.
- The next step is you need to defend. Defense is resiliency. That means it doesn’t matter if you know if the attacker is already in or not; you have to defend your assets. Make it secure. For example, network segmentation, two factor authentication, encryption – things like that – and a lot of companies are also doing a great job there, but a lot of companies don’t.
- And the next step all companies want to do is detection. So, detect the attacker that is already in and has passed your security.
This is not so easy, because it’s not about malware or not only about malware. My opinion is maybe it’s better to detect the attacker, and not the malware. You can easily do prevention when it comes to malware. But if someone got through, it’s better to focus on the attacker, not on the malware itself. And a lot of companies buy shiny new tools they are really convinced of, and this tool generates a lot of alerts.
You need to validate that it really happened and then you have to react to the incident: isolate the system, do forensics, recover from the incident, etc.
And then they realize, “Oh, we are not capable of responding to these alerts.” So really, if you go for detection, you always have to keep in mind that you need to respond. Response simply means: An alert is just a certain probability that something bad has happened, so you need to validate that it really happened and then you have to react to that incident. For example, this can be to isolate the system, do forensics, recover from the incident, and things like that, depending on the incident.
dot: To what extent are new attacks based on previously-used malware, and what impact does this have on detection and mitigation?
Steinhage: Most malware is really based on old malware, previously known. There are a lot of reasons for that. Most of the time, attackers want to use something that’s already there, something that is stable. They need to speed up and they need something reliable. So, they really rely on old malware and there are a lot of tactics to change this kind of malware, by encoding or other mechanisms, in a way so that it cannot be detected by traditional signature-based detection mechanisms like antivirus.
The challenge is that the end point got compromised, so you cannot trust the end point and thus not the security tools on it.
The thing is that this kind of malware can easily be detected by its behavior. Although it has changed the way it looks like from the outside – so it can bypass your security – at the end point, it will show the same behavior as the previous malware. And so we can detect that, of course, and this is also the reason why we see some kind of revival in endpoint security. The reason is first of all the behavior, and the second thing is that a lot of network traffic is now encrypted, and where do you see everything? It’s on the end point. But the challenge with that is, it’s the end point at the end of the day that got compromised. And so, you cannot trust the end point and thus not the security tools on it. So, you should have at least an independent mechanism of detecting not the malware, but the attacker that compromised the system.
dot: How often do you encounter completely new forms of malware, and how do you approach dealing with them?
Steinhage: It’s a matter of definition of what new malware means. If you look at the statistics of AV vendors, then every malware – even known old malware that was changed a little bit by encoding or something like that – counts as new malware. So, it’s really a matter of definition. Of course, even malware evolves. Normally when we talk about “malware”, it’s not really precise. Malware consists of different pieces, that is for example the dropper that drops or brings down the malware, then it’s the malware or the exploit, and it’s the remote-access Trojan at the end, when you want to be persistent on the system. And every piece gets better and better over time – new versions of it that are based on the old ones, of course.
What matters is: Is the organization able to detect that it got breached, and is it able to react properly to that breach?
My opinion is at the end of the day it really does not matter if it is a new or an old malware. What matters is: Is the organization able to detect that it got breached, and is it able to react properly to that breach? The impression is that most organizations are not. They don’t have the capacities, regarding manpower. They don’t have the skills, they don’t have the tools, they do not have even a plan.
In Germany, the incident response is very often to re-image the infected system. By doing so you lose everything. You lose the proof that something has happened. You cannot investigate what has happened, you even do not know how the attacker came in. So, there are no lessons learned, and you cannot prevent it from happening a second time.
Business continuity and disaster recovery plans are not appropriate for a breach. If you have a breach, you need a security recovery plan.
And also, the first thing an attacker will do is a lateral movement. He will find other systems in your organization he can jump to, so at the end of the day, you will re-image the system and he will pop up on another system. And this reminds me of the game “Whack a Mole”.
A lot of companies have plans in place – business continuity, disaster recovery, and things like that, and they also believe that these kind of plans are appropriate for a breach. But they aren’t. If you have a breach, you need a security recovery plan. Because, for example, if an endpoint got compromized, the compromize might be on your back up. So, you re-image the system and then you replay the back up, and the systems might be compromized again. So it’s a little bit more complicated.
Nikolei Steinhage is a senior sales engineer and security consultant with over 16 years of experience as a professional in cyber security.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.