Cyber defence is a blended solution; multiple elements are required for it to be truly effective and for particularly evasive malware to be detected and stopped
One of the first things we need to do is to understand is that malware normally needs a user to ensure the delivery. Let’s start there. People clicking on links in phishing emails, visiting websites that they should not or being trapped by socially engineered watering-hole attacks tend to form the bulk of delivery methodologies for malware.
Granted, some malware has been found “built-in” and sometimes it comes via a random USB from events or, if you watch Mr Robot, dropped in a car park. Malware rarely enters an organisation without a human conduit and this is largely through ignorance, not malice. We cannot rely on software to detect and neutralise all malware. Once it is inside the network, malware may be undetected for a very long time – even with monitoring in place – if it is smart.
Basically, we know heuristics are clever but, in the main, for someone to receive a flu jab, someone has to have caught the flu strain in the first place. Heuristics are generally not that far ahead of the game. So what do we do? We know we need anti malware and anti-malware that is up to date and appropriately deployed, but this is part of the blended approach, not all of it.
Before we can get into the software required to handle the technical threat, we need to do everything we can for ourselves to make sure users (including board members and senior management, who generally have access to sensitive and valuable information and are a juicy target) know how to spot threats and abstain from risky behaviours. This will decrease the chance of a successful incursion straight away.
I was recently carrying out some training and more than half of the delegates did not know what a phishing email was. The most successful and prolific attack vector we face and more than half of the people on the course did not know what it was.
So unless we augment detection, quarantine, analysis and destruction software with good quality awareness training and policy, we will not defeat the software that seeks to evade detection.
Sometimes the best detection and analysis is carried out by well-trained people – we need software, but it is designed to work on pre-programmed logic and therefore will always need the sense check of a well-trained user to get the most out of it.
For instance, some police forces are using people they call “super recognisers” in place of facial recognition software as they have been found to be more successful. This is because the human computer deals well with nuance and sometimes that is important in dealing with malware too.
Savvy users, combined with a good incident management process, good forensic readiness and a great (and well tested and updated) business continuity plan, will offer a great start in preparing for this inevitable malware evolution.