For those in the IT security community the names given to various types of malware soon become familiar. Even the general public may recognise the names of some of the more notorious ones that are reported in the popular press; Stuxnet, Flame, Zeus etc. It is easy for forget that all malware starts out with no name, anonymous, which is the way the perpetrators of malware attacks would like it to stay. The names are given by the defenders in the on-going battle against cyber-crime.

New malware is perhaps the biggest challenge facing the IT security industry, unknown-unknowns as a former US Secretary of State put it. The term used in the industry is zero day attack. Security vendors have become pretty good at spotting the known stuff over the years, at its most basic that is a big part of what most desktop anti-virus and content filtering products do; we have seen this before and it is bad news. This type of signature based defence still works and is necessary to prevent many mass market random attacks. However, on its own it is no longer enough.

To stop zero day attacks takes something more. The issue is pressing because the most dangerous attacks are not randomly targeted; we are after YOU (or YOUR ORGANISATION). Here malware will often be specifically crafted for a given attack so, whilst, for example, the Flame malware may have been seen before, a given version of it has not. Traditional signature recognition does not work. It is this targeting that is used in many attacks that have come to be termed APTs (advanced persistent threats). The attack keeps going until the target is penetrated, whatever it takes.

There are a number of approaches for spotting and/or mitigating zero day attacks:

File reputation services: the providers of such services, which include Symantec, McAfee, Trend Micro and BlueCoat, know what is bad (black) as well as good (white). They assess new stuff that lies in between based on various factors and create grey-lists; their customers can decide on the acceptable level of risk by selecting at what point they start blocking content on a the grey-scale. Bit9 is another security vendor providing such a service. When Flame was named it checked its records and found it had already been blocking a single instance of it for one customer eight months before it was named. Being unnamed does not mean unseen.

Check everything: security vendor FireEye claims to offer 100% protection. It has been growing fast having increased its head count six-fold in two years and having attracted the former McAfee boss Dave DeWalt to chair its board, it seems to be doing something right. FireEye treats everything as suspicious rather than white, grey or black listing. To do this, all executable files are detonated in a safe environment on one of its network based appliances before being passed through to their destination. FireEye also checks picture, PDF and other file types to ensure they are not being used to disguise malware.

Better managing privileges: the instance of Flame that Bit9 detected needed Windows admin rights to run. The user of the PC where it had detected the attack did not have such rights. Access was probably gained via a Windows vulnerability that allowed it to run at the admin and not the user level. The granting, management and on-going use of admin rights on Windows devices is often poorly managed. It need not be; with the right tools in place, admin activity can be limited and audited. If this was the case Flame may not have been able to run at all or would have be soon spotted. Such tools are provided by vendors such as BeyondTrust, Avecto and Viewfinity.

Advanced cyber-security intelligence (ASI): all of the mechanisms listed above are point security products. They work by looking at network traffic at a single point on the network or by better securing of a particular end user device. ASI is a different approach and supplements point security products by taking a more holistic view of IT systems. They are souped-up versions of existing security information and event management (SIEM) tools, which look at wide range of information in real time to detect threats that some are terming next generation SIEM (NG-SIEM). Even if the malware had not been blocked based on reputation and admin rights were not controlled, the communication with a suspicious IP address, and regular running of an unusual file at a strange time of day would soon raise a red flag. Vendors include LogRhythm, IBM (via its Q1 Labs acquisition) and McAfee (via its Nitro Security acquisition).

LogRhythm recently reported a case where one of its customers observed, simultaneously, multiple machines attempting connections to unauthorised IP Addresses outside of its own network. LogRhythm’s NG-SIEM product had been collecting log data from the customer’s firewalls. An "out-of-the-box” rule detected the suspicious activity. The destination ports of the connection attempts were identified as associated with Trojan traffic and the servers were cleaned up. In this case, the actual Trojan malware had been detected some time before and cleaned, but its job had been to deliver and install its payload (a rootkit) which had already been done before being detected.

File reputation, file detonation, Windows admin rights, NG-SIEM. These are all advanced security practices that businesses should be considering as they heed reports such as that issued by the UK’s MI5 recently that records 'astonishing' level of cyber-attacks. They are not alternative measures to existing security products but form part of a multi-layered approach to IT security that is the only way to stand a chance in an increasingly threatening cyber-space.

Quocirca’s report Advanced Cyber Security Intelligence is free to readers at this link: http://ecrm.logrhythm.com/WebQuocircaAdvancedCyberSecurity7-2012.html