Tag Archives: The Cyber Intelligencer

Consumers cut off from progress in endpoint protection?

23 January 2016

The Dridex banking Trojan is back from the ashes like the Phoenix. In his post ‘Dridex malware adopts redirection attacks to target high-value UK banking customers’, published on 20 January 2016 in security blog GrahamCluley, David Bisson clearly shows that the Trojan attacks banks and end users with terrifying speed.

How can end users protect themselves?

‘As for ordinary users, maintaining an updated anti-virus solution and refusing to click on suspicious links will go a long way towards protecting your life savings from low-life criminals.’

To be honest, the advice to keep the anti-virus solution up-to-date creates a false sense of security. Let me give you a current example.

Last Tuesday I got an email with an attachment containing the malware ‘VirTool:Win32/CeeInject.GF’. I uploaded the attachment to VirusTotal for inspection and found that only 8 of 54 anti-virus solutions identified the malware, although the malware or a variant was first published about 9 month ago:

Table 1: Result of first scan

Table 1: Result of first scan

These are definitely not the heavyweights in the consumer market. 7 hours later only 12 of 54 anti-virus solutions identified the malware. For the development in the next days see the following table:

Table2: Changes in identification rate

Table2: Changes in identification rate

In the worst case consumers were unprotected for about 2 days. Moreover, up to yesterday evening 22 of 54 anti-virus solutions had still not identified the malware.

Advanced endpoint security tools could deal definitely better. Unfortunately the vendors of such solutions focus on the private businesses.

In the latest issue of the Cyber Intelligencer Michael Applebaum writes:

‘What the industry desperately needs is rigorous, scientifically validated third-party testing of endpoint security technologies, across a range of real-world scenarios. Invincea has been prominently calling for this and we hope to see progress in 2016 by reputable third parties.’

Even more than the industry the consumers need decision-making aids in how to protect effectively against malware. At the moment they are not participating in the progress in technology at all.

As always the user is the first and best line of defense. ‘Check twice before you click on whatever links or attachments’, is the best possible advice.

Have a good weekend, and, don’t rely too much on your anti-virus solution!

The Sum of all Gaps

18 January 2016

In the 11 January issue of the Cyber Intelligencer Invincea’s COO Norm Laudermilch talks about the difficulties in evaluating the effectiveness of endpoint security products:

‘The key is to understand what part of the threat landscape a product covers, the scope of the protection, the efficacy of that protection, and how it fits with the rest of your security and IT architecture.’

Very well said! But it is important to take the next step: Once you have conducted this evaluation the sum of all gaps or the residual risk could be grasped.

In my opinion this is the most important information. It shows the critical vulnerabilities and, when related to the current overall threat landscape, the direction for further investments. A CISO is  well advised to do this matching regularly.

Have a good day.

Howto protect against Just-in-time malware

18 August 2015

On Sunday morning at the breakfast table I always read the latest issue of invincea’s The Cyber Intelligencer. In this week’s issue Michael Applebaum writes about just-in-time malware that is not recognized by any traditional or next generation endpoint protection tools. I fully agree with Michael, that an attacker has to hijack only one endpoint to compromise an entire company network.

But it’s not necessary to exploit unpatched vulnerabilities or zero days. Just use a built-in weakness of a Windows OS, e.g. UAC not set to “Always notify me” as default, to get privileged access and start exploring the victim’s computer and network.

But the worst is yet to come: If the attacker is not too greedy and impatient, it is very hard to detect his activities because only standard windows means are used.

Prevent, detect and contain are the keys to successful protection against such threats. In report Defensive Best Practices for Destructive Malware the NSA’s Information Assurance Directorate shows the direction. It’s worth to note that most of the technical measures described in this report are just built-in functions of operating systems. No rocket science! But the measures on the people and process level make the difference. For details see e.g. bullet point “Protect and restrict administrative privileges”.

Enjoy reading and have a good day!