Customized Malware: Confronting an Invisible Threat

Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out.

John Moynihan, President, Minuteman Governance

March 31, 2017

5 Min Read
Dark Reading logo in a gray background | Dark Reading

How secure is your network from unauthorized access?

Before you launch into a practiced response regarding your best-in-class firewall and robust antivirus software, you should know that the rapidly evolving malware landscape has rendered these technologies increasingly ineffective. Prolific, adaptable hackers are deploying customized malware to compromise networks throughout the financial services, healthcare, technology, and government sectors. However, it is possible to mitigate the risk.

What Is Customized Malware?    
Customized malware is malicious software that has been modified to evade detection by traditional security technologies. Customized malware comes in many forms, including ransomware. The most common delivery method is through inbound email, by a phishing or spearphishing attack. Because traditional antivirus products provide signature-based detection, only malware variants whose algorithms have already been identified are successfully quarantined. Therefore, the modified variants escape detection at an alarming rate.

Whenever a new malware variant is identified, a "patch" that addresses this specific threat is created, distributed, and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed as soon as possible. Unfortunately, the period that elapses between identification and analysis of a new variant and then the distribution of an update is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although these undetectable threats have existed for several years, the widely publicized attack on Target provided an unprecedented glimpse of how customized malware is used. In that breach, the malware installed within the company's network permitted a group of hackers, based in Eastern Europe, to perform extensive system reconnaissance and, ultimately, steal over 40 million credit and debit card numbers without ever being internally detected.

Shortly after the attack on Target, the United States Secret Service initiated an investigation and engaged iSIGHT Partners to assist in the forensic review. In January 2014, iSIGHT issued a report entitled "KAPTOXA Point of Sale Compromise." The KAPTOXA report revealed that the malware variant used to attack Target had a 0% detection rate. Simply put, the malware was customized to be completely invisible.

Mitigation Approach
The evasive nature of customized malware requires the implementation of a multilayered approach to data protection and network security. Given that antivirus products have become increasingly ineffective in preventing these attacks, enterprises can't rely solely on security technologies. An approach that combines employee education, threat containment, and network monitoring will reduce the risk of a customized malware penetration.

Education: Given that phishing and spearphishing remain the most prevalent delivery methods for initiating a customized malware campaign, it's essential that enterprises provide all users with clear, practical guidance on how to identify and guard against this tactic. Management must recognize that all users, whether employees, contractors, or interns, are conduits for a malware exploit through a continuous barrage of "social engineering" overtures. Therefore, the most proactive method of preventing an attack is through workforce education. The education process begins with the distribution of a clear, current information security policy that provides specific, practical guidance.

The next element of effective cyber education is mandatory employee training. The curriculum must be aligned with the policy and include a discussion of employee responsibility, an explanation of prohibited activities, and a description of the consequences for violators. An ongoing training program is a central element of an organization's cybersecurity program, without which users will engage in arbitrary and irresponsible behavior when using technology resources.

Containment: Although educating users will reduce an organization's risk of being compromised by a customized malware attack, it doesn't eliminate the threat. Through effective network segmentation, intruders may be contained within "segments" that do not house or process confidential information. Network segmentation is the process by which a network is divided into various subnetworks, letting an enterprise restrict segment access to only those with a clear business need. If intruders surreptitiously enter a "flat" network, one that hasn't been properly segmented, they enjoy lateral movement and may gain access to payment applications, databases storing personal information, or intellectual property. In a properly segmented network, all critical technologies are isolated and the confidential data residing there is protected.

Think of your local bank. When you walk in, your access is restricted to the teller window and perhaps the branch manager's office. The bank doesn't permit customers unrestricted access from the lobby to the vault or safe deposit boxes. This is an example of a segmented physical environment but is analogous to network segmentation.

Monitoring: If implementing an employee awareness program and network segmentation fails to prevent an intrusion, system monitoring allows entities to identify and disrupt malicious activity. Although customized malware is undetectable by conventional firewall and antivirus technologies, the activities initiated by this harmful software are identifiable through network monitoring. For instance, although data-scraping malware may penetrate a retailer's point-of-sale environment without detection, network monitoring would detect credit card data being exported from the infected terminals to suspicious, external locations.

Network monitoring is the process by which select components, such as customer databases, are continuously analyzed to detect unauthorized access. A variety of automated monitoring solutions provide the capability of generating real-time alerts of potential network threats. Network monitoring administered by properly trained staff gives an enterprise a final layer of protection against unauthorized access.

Customized malware poses an unprecedented risk to virtually all organizations. Organizations that fail to understand the dynamic nature of this situation and adjust their approach accordingly are at imminent risk of a cyberattack and the consequences that accompany these incidents.  

Related Content:

About the Author

John Moynihan

President, Minuteman Governance

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of Revenue from 1997-2008. He has published several articles, presents at major industry events and regularly provides media commentary on evolving cyber security issues.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights