Advanced cyber attacks hit businesses 20 times an hour on average, according to researchers at security firm FireEye.
This indicates just how pervasive advanced malware capable of evading traditional security defences has become, according to the firm’s latest advanced threat report.
Data gathered from 89 million malware events, along with direct intelligence uncovered by the research team, shows that many cyber attacks routinely bypass traditional defences such as firewalls, intrusion prevention systems, anti-virus and security gateways.
While enterprises experience a malware event up to once every three minutes on average, the report said the rate of malware activity varies acrossindustries, with technology companies experiencing the highest volume at up to one event a minute.
Spear phishing remains the most common method for initiating advanced malware campaigns, the researchers found.
Malicious malware is delivered in ZIP file format in 92% of attacks
When sending spear phishing emails, attackers opt for file names with common business terms to lure unsuspecting users into opening the malware and initiating the attack.
ZIP files remain the preferred file of choice for malware delivery. Malicious malware is delivered in ZIP file format in 92% of attacks.
Several malware innovations have appeared to better evade detection, researchers found.
Instances of malware were uncovered that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware does not generate any activity.
In addition, malware writers have also incorporated virtual machine detection to bypass sandboxing.
Researchers also found that attackers are increasingly using dynamic link library (DLL) files. By avoiding the more common .exe file type, attackers use DLL files to prolong infections, the report said.
More on advanced malware
- AT&T takes APTs seriously
- Conducting APT detection when Elirks, other backdoors hide traffic
- Spear phishing, manpower drive Chinese APTs, says researcher at RSA 2013
- Are mobile developers more apt to embrace cloud-based technologies?
- APTs: Are they really a concern for all businesses?
- Half of UK networks vulnerable to APTs
- Hardening the network against targeted APT attacks
- Surviving cyberwar: Preparing for APTs, Stuxnet malware-style attacks
- Ranum chat: APT attacks and malware evolution
- Boost advanced persistent threat (APT) security levels in six steps
Time to modernise security strategy
“This report provides an overview of how attacks have become much more advanced and successful at penetrating networks, regardless of industry,” said FireEye founder and CTO Ashar Aziz.
“As cyber criminals invest more in advanced malware and innovations to better evade detection, enterprises must rethink their security infrastructure and reinforce their traditional defences with a new layer of security that is able to detect these dynamic, unknown threats in real time,” he said.
Zheng Bu, senior director of research at FireEye, said malware writers are investing enormous effort in developing evasion techniques that bypass legacy security systems.
“Unless enterprises take steps to modernise their security strategy, they are sitting ducks,” he said.
Dana Tamir, director of product at security firm Trusteer, said detection-evading malware is another example of targeted attacks that exploit the biggest enterprise weakness – vulnerable endpoint applications.
“The attack exploits vulnerabilities to introduce malware, which then enables the attack progression. By blocking the exploit, the entire attack can be stopped. But that can't be done with blacklisting solutions,” he said.
“Since most targeted attacks exploit zero-day vulnerabilities, a solution should be able to block the attack without knowing anything about the vulnerability targeted or the malware used.
“It should analyse the application state when performing sensitive operations like executing a file. If the application writes a file outside a known and approved state, it is being exploited and the operation should be stopped, said Tamir.
Unless enterprises take steps to modernise their security strategy, they are sitting ducks
Ashar Aziz, FireEye
David Harley, senior research fellow at security firm ESET, pointed out that targeted attacks typically make heavy use of social engineering as an entry point. “As such, technical defences like spam filters and firewalls are less likely to pick them up,” he said.
Malicious code is also likely to be customised to a point where it is not so easily found by generic malcode detection, said Harley.
In addition, he said, there is an increasing tendency for utilities to be targeted, and the specialised always-on nature of some of the equipment at such sites makes it harder to protect using traditional defences such as security software and patching.
“The best defences are multi-layered. These involve efficient updating and patching. It also means not relying on a single layer/security solution, such as a firewall,” said Harley.
Businesses should also take steps to build up resistance to social engineering by educating staff on the ways to spot malware, he said.