So block anomalous activity first and ask questions later (please).
As IT professionals (and logical human beings) we have been taught to analyze a situation first and then act based on knowledge gained from the analysis. Acting without an understanding of the full picture is considered impulsive and oftentimes, even foolish.
This is not always the best strategy in today’s fast-paced environment of ever-evolving and growing security threats. When working with malware, security professionals need to unlearn the “think twice” philosophy – they need to act first on qualified intelligence and then, if needed, analyze the data in more detail. This is especially true in the temporal world of the internet where web-based malware needs to be treated like harmful parasites that must be terminated immediately upon detection to stop propagation. Frequently, web-based threats initially present as benign code or operations; however, they easily morph into overt threats without your knowledge.
Going against the grain is a good thing
Today, Google reports more than 495,000 monthly searches for the term malware, producing around 76.4 million results. This should come as no surprise considering that there are nearly 1 million new malware threats detected every day.
This high level of interest in the topic of malware combined with the aggressive growth of the security software market (valued at $75 billion in 2015) indicate that enterprises struggle to analyze and come to terms with the increasingly complex digital threat landscape. As studies consistently report on this lack of understanding about cybercrime and threats, it is high time that enterprises do something about it.
First, let’s get back to basics and clarify the definition of malware:
“Any code, program or application that displays abnormal behavior or that has an unwarranted presence on a device, network or digital asset.”
This means any code or behavior not germane to the intended execution of a web-based asset is considered malware. Malware does not need to be complex, overt or malicious right from the time it is detected.
This definition means annoying or seemingly innocuous behavior, such as out-of-browser redirect, excessive cookie use, non-human clicks/actions or toolbar drops qualify. Most of these behaviors may seem benign now, but a close look at both Indicators of Threat (IOC) and Patterns of Attack (POA) typically suggest another story altogether.
Don’t question the malware, question yourself
IT professionals who’ve spent thousands of dollars and hours of learning to develop a knowledge base find it difficult to simply act without questioning and possibly over-analyzing ready to utilize data sources.
Working with qualified intelligence sources will make it much easier to change the “endless analysis” paradigm. If you must ask questions, question yourself and not the malware (at least not before blocking it first).
IT professionals need to reflect on the rapidly evolving web-based threat landscape. On a frequent basis, ask yourself:
- Where are the vulnerabilities in my enterprise network?
- Are the tools used to secure my organization effective enough to handle increasingly sophisticated web-based attacks?
- What kind of threat intel resources are available? What is our experience with each source?
- What does my incident response look like? Is it swift and cost-effective?
- Where and how can I increase my operational efficiencies around my threat intelligence strategy?
Block first, ask questions later
The idea is simple, shield yourself against web-based breaches by being more proactive about the enterprise security posture. If and when breaches do occur, you should have at least limited the level of damage caused by loss of data, reputation and business continuity.
Before you spend all your time, money and effort on a full payload analysis of every malware alert, oftentimes, trying to verify the impossible, remember to block it first. What’s the worst that can happen? You block something that an employee needs? Trust me, they’ll let you know.