The Conficker threat and the reality of targeted attacks
The Conficker worm is still one of the biggest ongoing threats to enterprises, says Microsoft.
According to the newly released Microsoft Security Intelligence Report volume 12, quarterly detections of the Conficker worm have increased by more than 225 percent since the beginning of 2009.
In the fourth quarter of 2011 alone, Conficker was detected on 1.7 million systems worldwide. In examining the reasons behind Conficker’s prevalence in organizations, research showed that 92 percent of Conficker infections were a result of weak or stolen passwords, and 8 percent of infections exploited vulnerabilities for which a security update exists.
The SIRv12 also revealed that many of the threats often referred to as Advanced Persistent Threats (APTs) are no more advanced or sophisticated than other types of attacks.
“Labeling cyberthreats as “advanced’ is often times misleading and can divert organizations’ attention away from addressing basic security issues, which can prevent more common threats from infiltrating their systems,” said Tim Rains, director of Microsoft Trustworthy Computing. “Most attacks do not possess new, super-advanced techniques or technology as the APT label implies; in the majority of cases, they simply exploit weak or stolen passwords or vulnerabilities for which a security update exists and employ social engineering.”
This is why Microsoft refers to these types of threats as Targeted Attacks performed by Determined Adversaries, rather than APTs.
Microsoft recommends that customers and businesses adhere to the following security fundamentals to help ensure they are protected:
- Use strong passwords and educate employees on their importance
- Keep systems up to date by regularly applying available updates for all products
- Use antivirus software from a trusted source
- Invest in newer products with a higher quality of software protection
- Consider the cloud as a business resource
For businesses, Microsoft also recommends a more holistic approach to risk management to help protect against both broad-based and targeted attacks (attack motives and tactics for both are also described in the report) including the following:
Prevention. Employ security fundamentals and pay close attention to configuration management and timely security update deployment.
Detection. Carefully monitor and perform advanced analysis to identify threats. Keep abreast of security events and leverage credible sources of security intelligence.
Containment. If the targeted organization has configured its environment with targeted attacks by determined adversaries in mind, it is possible to contain the attacker’s activities and thereby buy time to detect, respond to and mitigate the attack. To contain an attack, consideration should be given to architecting domain administration models that limit the availability of administrator credentials and apply available technologies, such as IPsec-based network encryption, to restrict unnecessary interconnectivity on the network.
Recovery. It is important to have a well-conceived recovery plan, supported by suitably skilled incident response capability. Maintain a “crisis committee” to set response priorities and engage in exercises to test the organization’s ability to recover from different attack scenarios.
“The ease with which Conficker continues to propagate in our networks shows that we continue to neglect basic OS hardening techniques. Improving the definition and enforcement of password policies, prompt patching and secure configuration of OS parameters such as Autorun will prove beneficial in combating not only Conficker, but also against Malware as a whole,” commented Wolfgang Kandek, CTO of Qualys.