In the last few years, organizations have been subject to extortion through ransomware. Now, hackers are bypassing the nasty business of trying to get people to give them cryptocurrency to simply hijacking your processor to mine for cryptocurrency. As a result, the methods employed are growing in sophistication and creativity, including using internet memes to compromise systems.
The malware threat is compounded by the increasing attack surface. For example, as organizations move to the cloud, so too do cybercriminals. Cloud assets are as vulnerable to malware attacks as your on-premise systems. Not to mention the increasing use of internet-connected IoT devices both in the office and the home.
And while organizations focus on malware prevention and detection (and rightly so), malware forensics is an important remediation capability that is often forgotten. When malware is discovered, you can’t remediate unless you know exactly what the malware did and what it changed.
Three Basic Steps to Mitigate the Risk of an Attack
Given the increase in the number of malware and their sophistication, what’s the best way to mitigate the risk of an attack? There are three basic steps you can take:
- Ensure that your entire environment is configured securely.
- Monitor those systems for evidence of tactics, techniques and procedures (TTPs) employed by malware authors.
- Analyze unexpected changes that involve new or updated files for malicious behavior.
Maintaining secure configurations of your assets is a great way to mitigate a significant amount of risk from malware. This not only includes securing server, network device and application (like database and web server) configurations but also things like cloud management accounts and containers. Organizations such as CIS and NIST produce specific, measurable and actionable policies on how to secure a wide array of assets.
Since the specific files associated with malware change rapidly, it’s important to look for evidence of the tactics, techniques and procedures employed by malware authors. This is why the MITRE ATT&CK framework was created.
Based on the analysis of real-world attacks, the ATT&CK framework tells you what evidence to look for of an attack. Monitoring systems for change associated with malicious behavior provides an important layer of defense from malware.
Another layer is the most obvious. If you are monitoring systems for malicious change, why not perform malware analysis on any new or changed files?
A common technique is to check file hashes against a list of known malware. However, given the rapid change in malware attacks, this, while necessary, isn’t sufficient. Files that aren’t recognized need to be analyzed.
The trick is that sophisticated malware authors know that their malware is going to be analyzed. They design their malware to look benign if they malware thinks it’s being analyzed. If you want to mitigate risk through malware analysis, make sure that the analysis solution is smart enough to trick malware into thinking it’s running on its intended target.
That’s why we rolled out Tripwire Malware Detection. Tripwire Enterprise is already recognized as the best change monitoring and secure configuration management solution in the industry. Tripwire Malware Detection adds the ability to analyze new and changed files for malware. Our analysis goes way beyond checking of file hashes. Files are analyzed in an emulated environment so that the malware reveals its true nefarious nature. Tripwire Enterprise receives the results.
At that point, analysts can take any number of actions from sending an e-mail notification or an alert to your SIEM all the way to creating a ticket in your ITSM tool. By incorporating threat intelligence with Tripwire Malware Detection and Tripwire Enterprise, you can significantly mitigate the risk of a breach due to malware.
For more information about Tripwire Malware Detection, click here.