As criminals continue to develop new methods to break or sidestep cyber defences, in many cases the focus is shifting towards the ability to detect and respond to an incident as quickly as possible. Despite the average cost of a data breach soaring to $17.36m in 2016 according to the Ponemon Institute, we have found the security industry’s incident response capabilities have advanced considerably in recent years.
The 2017 Trustwave Global Security Report, which examines the results of thousands of our investigations into security incidents, actually found that the time it takes to detect an intrusion has decreased over the last year.
Across the incidents we investigated in 2016, the median time from intrusion to detection of a compromise had fallen to 49 days, down from 80.5 days in 2015. This median represents a huge range of times – from breaches detected on the same day, to one outlier that took more than five years. However, overall the progress is significant, particularly in the face of increasingly sophisticated attacks designed specifically to counter the efforts of defence teams.
Evolving malware tactics
We have found an increasing number of attackers are now deploying malware families that have additional features designed to help them spread and escape detection. These additions work alongside their primary revenue-generating functions such as memory scraping or ransomware to prolong the attack.
Over a third (36 percent) of the malware we have encountered over the last year included the ability to download additional malware from a remote server. An increasing number of malware families are also including anti-analysis features, such as using process injection to hide within another legitimate process on the system, or implementing a remote administration function to provide the attack with a backdoor into the system.
One of the most popular trends we have observed is the use of malware that resides in memory rather than on disk. This defeats many of the traditional measures used to detect malware, such as searching for a particular hash across the system.
Hiding in plain sight
A good example of this approach in action is PoSeidon, a malware family used to attack point-of-sale (POS) systems. The malware is a memory scraper program that searches the computer’s memory for data sequences that match patterns, such as a credit card number. The PoSeidon binary is a simple injector into svchost.exe, but while this still resides on disk, the credit card scraping malware only lives in memory. Alongside this, PoSeidon is also a good example of the way popular malware families are constantly evolving and being improved by the community. Despite first appearing a couple of years ago, in 2016 we detected significant new features including privilege escalation and a monitor process that ensures it remains installed and active.
Because they are not present on disk, malware like PoSeidon can only be discovered through memory analysis, using a memory image to determine information about running programmes. While there are automated tools available to assist with analysis, an investigation generally needs a trained and experienced professional. An expert hand is also needed to tackle memory resident malware once it has been discovered, as the best approach is to reverse engineer it to contain and fix the infiltration vector.
Too complex to catch?
While good IT teams have previously had some success in addressing security issues, the advancing sophistication of malware means that even the most experienced IT practitioner will have a hard time detecting a compromise, let alone remediating it.
One of the most effective ways of accessing the advanced threat monitoring capabilities and expertise needed to identify and contain an incident is to employ a managed security service provider (MSSP). This will provide a network of threat intelligence on the latest developments and attacks, and will also mean there is 24-hour access to a team of experienced security practitioners. Premium MSSPs offer Managed Detection and Response for Endpoints (MDRe) services, which allows for global teams of incident responders to threat hunt, respond to attacks, and remediate in real-time 24/7.
We have found that incidents which have been self-detected – either through their own internal teams or through a third-party service provider – were discovered an average of 60 percent faster compared to those found through an external party such law enforcement or a regulator.
The median detection time for internal discoveries was just 16 days. Organisations that could detect breaches themselves were also able to contain the incident more quickly on average – an extremely important factor when every additional day leaves the attacker free to deal more damage.
While an experienced security team has become essential to tackle advancing malware, organisations that have taken the time to educate their staff on cyber practices will also have an advantage while they wait for the experts to arrive. A company playbook on how to identify malicious activity, limit the impact and aid in the investigation and recovery is essential. Well-meaning activity such as wiping an infected endpoint after a breach or the routine deletion of network traffic can destroy digital evidence that could help determine how the attack was carried out and what systems it accessed, making the investigation much longer and costlier.
We also find that some organisations will try to find any reason to avoid an investigation due to the expense involved. However, a thorough forensic investigation is essential for a company to ensure that its systems are once again secure and it is not at risk of further attack – as well as confirming exactly what was accessed during the intrusion. It’s also a strong sign the company is taking the breach seriously, which is very influential in restoring trust with customers, as well as dealing with any regulatory or legal repercussions.
With the criminal community continuing to develop new methods to evade detection and disrupt investigative efforts however, it is more important than ever that organisations are prepared to handle an incident efficiently. Those that are able to combine good internal practice with external security expertise will have the best chance of discovering incidents and containing incidents quickly – as well as preventing them from taking place at all.