Maksim Kabakou - Fotolia

Security Think Tank: Awareness and incident response key to fighting evasive malware

How can businesses best prepare their cyber defences in light of the fact that attackers are increasingly using malware designed to evade detection and analysis?

Recent research findings noted that there was a marked increase in malware deployments using techniques to evade detection in the second quarter of 2016.  

To improve their defenses against such attacks and improve what can be done to mitigate the effects of a successful attack, the first thing necessary is a comprehensive and tested plan to handle security incidents. 

The key stages of a plan would cover staff reporting that something is wrong, the establishment of an incident team to investigate and assess the damage caused (and not just IT damage, but damage to the business) and initiating the recovery process, which might require the use of back ups and/or the use of external expertise.

Public relations is another key aspect to be handled by the incident team, along with any regulatory reporting requirements.

Once operations have been fully restored, the final job of the team is to undertake a review of what happened and the processes in play, with the aim of identifying how operational and incident management processes can be improved.

Someone should then be appointed to ensure that the identified processes (policies, procedures and work practices) are appropriately updated and any additional IT reinforcement is budgeted for and applied.

Staff awareness

What can be done to reduce the risk of a malware infection in the first place? The recommended starting point is ensuring that all staff are aware of the issues and how they can help. This is because the most likely source of an infection will be a staff member opening an email attachment or clicking on a link in an email. 

While formal training comes to mind, poster and leaflet campaigns, pop-up messages when staff log on and/or access the internet, informal staff meetings and one-on-one chats over a coffee (other drinks are available) with senior and key people can pay big dividends and plays well with staff.

Staff awareness is not a one-off exercise, but a continuing and evolving program.

Access permissions

With a staff awareness program in play, companies should look at the network and system operation. For example, no one in a company other than trained IT administrators should have administrative privileges (and not just servers but all company PC’s, laptops and tablets).

Administrators should have two accounts, one for system administration and one for day-to-day use. No person should have access to all files in a company’s system, not even the chief executive or IT director. 

People should only be able to access and perform actions on the files absolutely necessary for them to perform their job function – for example,  if only “read” access is required, that is all that should be given.

Office products should be configured not to run macros automatically, and internet front-end systems while running antivirus processes should be configured to only allow regular office files as email attachments (such as .rtf and .doc) and block executables and double zipped files.

While disarming emails with scripting is recommended, this might not be acceptable to some companies and an informed decision based on risk needs to be taken. Similar protection is also needed for internet browsing.

Additional protection for servers should include running a local firewall on the server while whitelisting applications is a strong recommendation, therefore only known whitelisted applications can run. 

Ensure proof of due diligence in the protection of data by keeping up to date with protection legislation or other laws, therefore minimising liability should the company be hit by stealthy malware. 

Roles need to be formally established defining what files and database fields those roles can access and what action on those files and fields can be taken. File and database systems also need to be configured to effectively support only those roles.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Hackers and cybercrime prevention