1 Introduction
The cost of cybercrime related to malware alone is expected to reach $6 trillion globally by 2021. Therefore, endpoint protection against malware and other cybercriminal attacks has never been more important for businesses, governments and individuals.
Supported by a well-organised, funded and resourced underground economy, malware and other cybercriminal attack methods continue to evolve and proliferate at a rapid pace. As a result, the number of known threats has grown from less than 2,000 in the early 1990s to hundreds of millions today. Malware also comes in many forms: viruses, worms, rootkits, botnets, fileless malware, ransomware, and crypto-miners that represent different ways of exploiting known and unknown (zero day) vulnerabilities in widely-used operating systems and business applications.
In addition to the staggering volume of malware threats with hundreds of thousands of new variants detected on a daily basis, malware continues to become more complex as demonstrated by NotPetya, which included several propagation methods at its disposal to increase the likelihood of success.
The most sophisticated malware not only has several propagation/infection methods it can use, but is also increasingly split up into multiple stages and uses multiple techniques to achieve its objectives to avoid detection, including credential theft and privilege escalation to access systems and data disguised as a legitimate user, and “code caves” to hide malicious code inside legitimate applications.
The potential impact of malware is also increasing, with thousands of private and public sector organisations continuing to be crippled by ransomware attacks designed to make money by encrypting critical data and demanding payment for its release.
Although NotPetya appeared to be ransomware, it is more accurately described at destructive malware, with potentially an even greater impact on business operations than true ransomware. NotPetya, along with various “wiper” attacks was designed to destroy/overwrite data on computer hard drives.
Taken collectively, these attacks represent the rise of data-destroying malware that is part of a growing trend of state-sponsored attacks that are much more damaging than traditional cybercriminal attacks and tend to have a 100% penetration rate due to high levels of investment in their development. The best-known “wiper” attacks are probably the 2012 and 2016 Shamoon malware attacks targeting Saudi energy companies and the 2014 RawDisk attack on Sony Pictures in 2014.
At the same time, the number of attack techniques continues to expand beyond malware to include weaponized documents and even fileless attack methods that avoid signature-based detections by propagating through process or memory injection without being written and transferred as a file.
As a result, traditional endpoint protection systems that rely solely on signature-based detection are no longer effective in the face of an increasing number of previously unknown malware variants and attack methods, as well as the growing number of fileless attacks that use legitimate native tools like PowerShell to assemble and execute the malicious payload.
The number of attack channels has also grown since the 1990s from malicious emails, links and attachments to include malicious social media accounts, compromised legitimate websites, compromised mobile and desktop applications, including browsers and browser plugins.
In the light of the developments in the threat landscape, it has become increasingly important for organizations to have multiple layers of defence, and if these fail, to have the capability to detect and respond to successful attacks, not only to limit the damage but also to ensure business continuity. For more on this topic, see: Advisory Note: Business Continuity in the age of Cyber Attacks – 70361.
Similarly, Endpoint Detection & Response (EDR) solutions have become increasingly popular recent years as a means to help security analysts determine if core security mechanisms have failed, if their systems have been attacked and compromised, and if valuable data has been exfiltrated. The main goal of EDR solutions is typically to reduce the Mean Time To Respond (MTTR), given that many reports show that attackers can spend months inside organizations before being detected.
EDR solutions look for evidence and effects of malware/malicious activities that may have slipped past Endpoint Protection (EPP). This evidence, known as Indicators of Compromise (IOCs), is often indicative of reconnaissance and lateral movement by adversaries as well as data exfiltration attempts that are hallmarks of APT (Advanced Persistent Threat) attacks. IOCs typically include:
- MD5 file hashes
- Known bad IPs and URLs
- File/process name mismatches
- Unusual process injections
- Unusual application/network port usage
- Registry changes
When it comes to endpoint protection products, key features therefore include agents for detecting and preventing execution of malicious code as well as a management console for collecting and analyzing information from deployed agents, for collecting agent patch status, and for pushing upgrades.
All end-user computers, smartphones, and tablets should have anti-malware endpoint security clients installed, preferably with up-to-date subscriptions. Servers and virtual desktops should be protected as well. Windows platforms are still the most vulnerable, but there is an increasing amount of malware for Google’s Android and Apple’s iOS mobile operating systems as well as for Apple’s MacOS. As the market share of these operating systems increases, the malware for those platforms is also likely to increase.